diff --git a/.devcontainer/README.md b/.devcontainer/README.md
index 793f3363cf1..71967768458 100644
--- a/.devcontainer/README.md
+++ b/.devcontainer/README.md
@@ -68,6 +68,20 @@ bash ../../../scripts/member-local-plan.sh
 bash ../../../scripts/member-local-plan.sh -r modernisation-platform-sandbox
 ```
 
+## Support
+
+As this is a community supported feature, help is offered on a best endeavour basis.
+
+If you do need help, please post in [`#devcontainer`](https://moj.enterprise.slack.com/archives/C06DZ4F04JZ)
+
+## Contribution Guidelines
+
+- Check that an existing feature doesn't cover what you're trying to add
+
+- Where possible reuse the existing practices from other features, utilising the shared library `devcontainer-utils`
+
+- If you are creating a feature, add it to the feature testing matrix in the GitHub Actions workflow and ensure appropiate tests exist
+
 ## Maintainers
 
 - [@jacobwoffenden](https://github.com/jacobwoffenden)
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
index 41c4f677096..d8cecf7978a 100644
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@@ -2,7 +2,15 @@
   "name": "modernisation-platform-environments",
   "image": "mcr.microsoft.com/vscode/devcontainers/base:ubuntu",
   "features": {
+    "ghcr.io/devcontainers/features/common-utils:2": {
+      "configureZshAsDefaultShell": true 
+    },
+    "./features/src/base": {},
     "./features/src/aws": {},
     "./features/src/terraform": {}
-  }
+  },
+  "overrideFeatureInstallOrder": [
+    "ghcr.io/devcontainers/features/common-utils",
+    "./features/src/base"
+  ]
 }
diff --git a/.devcontainer/features/src/aws/devcontainer-feature.json b/.devcontainer/features/src/aws/devcontainer-feature.json
index 7e9e9979d9a..aba8ccbe93f 100644
--- a/.devcontainer/features/src/aws/devcontainer-feature.json
+++ b/.devcontainer/features/src/aws/devcontainer-feature.json
@@ -16,5 +16,6 @@
       "proposals": ["latest"],
       "default": "latest"
     }
-  }
+  },
+  "installsAfter": ["./features/src/base"]
 }
diff --git a/.devcontainer/features/src/aws/install-aws-cli.sh b/.devcontainer/features/src/aws/install-aws-cli.sh
index adb70e7ae2b..d9fe00977d1 100644
--- a/.devcontainer/features/src/aws/install-aws-cli.sh
+++ b/.devcontainer/features/src/aws/install-aws-cli.sh
@@ -1,37 +1,26 @@
 #!/usr/bin/env bash
 
-set -euo pipefail
+set -e
 
-VERSION=${AWSCLIVERSION:-"latest"}
+source /usr/local/bin/devcontainer-utils
+
+get_system_architecture
+
+VERSION="${AWSCLIVERSION:-"latest"}"
 
 if [[ "${VERSION}" == "latest" ]]; then
-  ARTEFACT="awscli-exe-linux-$( uname -m ).zip"
+  ARTEFACT="awscli-exe-linux-$(uname -m).zip"
 else
-  ARTEFACT="awscli-exe-linux-$( uname -m )-${VERSION}.zip"
+  ARTEFACT="awscli-exe-linux-$(uname -m)-${VERSION}.zip"
 fi
 
-# Install
-
-apt-get update --yes
-
-apt-get -y install --no-install-recommends \
-  ca-certificates \
-  curl \
-  unzip
+curl --fail-with-body --location "https://awscli.amazonaws.com/${ARTEFACT}" \
+  --output "${ARTEFACT}"
 
-curl https://awscli.amazonaws.com/${ARTEFACT} \
-  --output ${ARTEFACT}
-
-unzip ${ARTEFACT}
+unzip "${ARTEFACT}"
 
 bash ./aws/install
 
-rm --force --recursive aws ${ARTEFACT}
-
-# Configure
-
-echo "complete -C '/usr/local/bin/aws_completer' aws" >> /home/vscode/.bashrc
-
-# Cleanup
+rm --recursive --force aws "${ARTEFACT}"
 
-rm --force --recursive /var/lib/apt/lists/*
+install --owner=vscode --group=vscode --mode=775 "$(dirname "${0}")"/src/home/vscode/.devcontainer/feature-completion/aws.sh /home/vscode/.devcontainer/feature-completion/aws.sh
diff --git a/.devcontainer/features/src/aws/install-aws-sso-cli.sh b/.devcontainer/features/src/aws/install-aws-sso-cli.sh
index 12f7bf883e6..e5077fea41d 100644
--- a/.devcontainer/features/src/aws/install-aws-sso-cli.sh
+++ b/.devcontainer/features/src/aws/install-aws-sso-cli.sh
@@ -1,36 +1,29 @@
 #!/usr/bin/env bash
 
-set -euo pipefail
+set -e
 
-VERSION=${AWSSSOCLIVERSION:-"latest"}
+source /usr/local/bin/devcontainer-utils
+
+get_system_architecture
 
-case "$( uname -m )" in
-  x86_64)
-    export ARCHITECTURE="amd64" ;;
-  aarch64 | armv8*)
-    export ARCHITECTURE="arm64" ;;
-  *)
-  echo "(!) Architecture $( uname -m ) unsupported"; exit 1 ;;
-esac
+GITHUB_REPOSITORY="synfinatic/aws-sso-cli"
+VERSION=${AWSSSOCLIVERSION:-"latest"}
 
 if [[ "${VERSION}" == "latest" ]]; then
-  VERSION=$(curl --silent "https://api.github.com/repos/synfinatic/aws-sso-cli/releases/latest" | jq -r '.tag_name')
-  VERSION_STRIP_V=$(echo "${VERSION}" | sed 's/v//')
+  get_github_latest_tag "${GITHUB_REPOSITORY}"
+  VERSION="${GITHUB_LATEST_TAG}"
+  VERSION_STRIP_V="${GITHUB_LATEST_TAG_STRIP_V}"
+else
+  VERSION_STRIP_V="${VERSION#v}"
 fi
 
-# Install
-
-curl --location https://github.com/synfinatic/aws-sso-cli/releases/download/${VERSION}/aws-sso-${VERSION_STRIP_V}-linux-${ARCHITECTURE} \
-  --output /usr/local/bin/aws-sso
-
-chmod +x /usr/local/bin/aws-sso
-
-mkdir --parents /home/vscode/.aws-sso
+curl --location https://github.com/${GITHUB_REPOSITORY}/releases/download/${VERSION}/aws-sso-${VERSION_STRIP_V}-linux-${ARCHITECTURE} \
+  --output "aws-sso"
 
-cp  $( dirname $0 )/src/home/vscode/.aws-sso/config.yaml /home/vscode/.aws-sso/config.yaml
+install --owner=vscode --group=vscode --mode=775 aws-sso /usr/local/bin/aws-sso
 
-chown --recursive vscode:vscode /home/vscode/.aws-sso
+install --directory --owner=vscode --group=vscode /home/vscode/.aws-sso
 
-# Configure
+install --owner=vscode --group=vscode --mode=775 "$(dirname "${0}")"/src/home/vscode/.aws-sso/config.yaml /home/vscode/.aws-sso/config.yaml
 
-echo "export AWS_SSO_FILE_PASSWORD=\"aws_sso_123456789\"" >> /home/vscode/.bashrc
+install --owner=vscode --group=vscode --mode=775 "$(dirname "${0}")"/src/home/vscode/.devcontainer/feature-completion/aws-sso.sh /home/vscode/.devcontainer/feature-completion/aws-sso.sh
diff --git a/.devcontainer/features/src/aws/install.sh b/.devcontainer/features/src/aws/install.sh
index 3d07a4bb2e6..e2fffbdcfa2 100644
--- a/.devcontainer/features/src/aws/install.sh
+++ b/.devcontainer/features/src/aws/install.sh
@@ -1,5 +1,11 @@
 #!/usr/bin/env bash
 
-bash $( dirname $0 )/install-aws-cli.sh
+set -e
 
-bash $( dirname $0 )/install-aws-sso-cli.sh
+source /usr/local/bin/devcontainer-utils
+
+logger "info" "Installing AWS CLI (version: ${AWSCLIVERSION})"
+bash "$(dirname "${0}")"/install-aws-cli.sh
+
+logger "info" "Installing AWS SSO CLI (version: ${AWSSSOCLIVERSION})"
+bash "$(dirname "${0}")"/install-aws-sso-cli.sh
diff --git a/.devcontainer/features/src/aws/src/home/vscode/.devcontainer/feature-completion/aws-sso.sh b/.devcontainer/features/src/aws/src/home/vscode/.devcontainer/feature-completion/aws-sso.sh
new file mode 100644
index 00000000000..57befd0fc3b
--- /dev/null
+++ b/.devcontainer/features/src/aws/src/home/vscode/.devcontainer/feature-completion/aws-sso.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+
+export AWS_SSO_FILE_PASSWORD="aws_sso_123456789"
diff --git a/.devcontainer/features/src/aws/src/home/vscode/.devcontainer/feature-completion/aws.sh b/.devcontainer/features/src/aws/src/home/vscode/.devcontainer/feature-completion/aws.sh
new file mode 100644
index 00000000000..95a724522f3
--- /dev/null
+++ b/.devcontainer/features/src/aws/src/home/vscode/.devcontainer/feature-completion/aws.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+
+complete -C '/usr/local/bin/aws_completer' aws
diff --git a/.devcontainer/features/src/base/devcontainer-feature.json b/.devcontainer/features/src/base/devcontainer-feature.json
new file mode 100644
index 00000000000..6825cb777e3
--- /dev/null
+++ b/.devcontainer/features/src/base/devcontainer-feature.json
@@ -0,0 +1,12 @@
+{
+  "id": "base",
+  "version": "1.0.0",
+  "name": "base",
+  "description": "Base",
+  "customizations": {
+    "vscode": {
+      "extensions": ["GitHub.vscode-pull-request-github", "GitHub.vscode-github-actions", "ms-vsliveshare.vsliveshare"]
+    }
+  },
+  "installsAfter": ["ghcr.io/devcontainers/features/common-utils"]
+}
diff --git a/.devcontainer/features/src/base/install.sh b/.devcontainer/features/src/base/install.sh
new file mode 100644
index 00000000000..be2b0dc9a4e
--- /dev/null
+++ b/.devcontainer/features/src/base/install.sh
@@ -0,0 +1,21 @@
+#!/usr/bin/env bash
+
+set -e
+
+source "$(dirname "${0}")"/src/usr/local/bin/devcontainer-utils
+
+install --owner=vscode --group=vscode --mode=775 "$(dirname "${0}")"/src/usr/local/bin/devcontainer-utils /usr/local/bin/devcontainer-utils
+
+install --owner=vscode --group=vscode --mode=755 "$(dirname "${0}")"/src/usr/local/etc/vscode-dev-containers/first-run-notice.txt /usr/local/etc/vscode-dev-containers/first-run-notice.txt
+
+install --owner=vscode --group=vscode --mode=755 "$(dirname "${0}")"/src/home/vscode/.oh-my-zsh/custom/themes/devcontainers.zsh-theme /home/vscode/.oh-my-zsh/custom/themes/devcontainers.zsh-theme
+
+install --directory --owner=vscode --group=vscode /home/vscode/.devcontainer/feature-completion
+
+cat <<EOF >> /home/vscode/.zshrc
+
+# dev container feature completion scripts
+for file in "\${HOME}"/.devcontainer/feature-completion/*.sh; do
+  source "\${file}"
+done
+EOF
diff --git a/.devcontainer/features/src/base/src/home/vscode/.oh-my-zsh/custom/themes/devcontainers.zsh-theme b/.devcontainer/features/src/base/src/home/vscode/.oh-my-zsh/custom/themes/devcontainers.zsh-theme
new file mode 100644
index 00000000000..9329790fc88
--- /dev/null
+++ b/.devcontainer/features/src/base/src/home/vscode/.oh-my-zsh/custom/themes/devcontainers.zsh-theme
@@ -0,0 +1,51 @@
+# Oh My Zsh! theme - partly inspired by https://github.com/ohmyzsh/ohmyzsh/blob/master/themes/robbyrussell.zsh-theme
+# Source: https://github.com/devcontainers/features/blob/main/src/common-utils/scripts/devcontainers.zsh-theme
+
+__zsh_prompt() {
+    local prompt_username
+    if [ ! -z "${GITHUB_USER}" ]; then 
+        prompt_username="@${GITHUB_USER}"
+    else
+        prompt_username="%n"
+    fi
+    PROMPT="%{$fg[green]%}${prompt_username} %(?:%{$reset_color%}➜ :%{$fg_bold[red]%}➜ )" # User/exit code arrow
+    PROMPT+='%{$fg_bold[blue]%}%(5~|%-1~/…/%3~|%4~)%{$reset_color%} ' # cwd
+    PROMPT+='`\
+        if [ "$(git config --get devcontainers-theme.hide-status 2>/dev/null)" != 1 ] && [ "$(git config --get codespaces-theme.hide-status 2>/dev/null)" != 1 ]; then \
+            export BRANCH=$(git --no-optional-locks symbolic-ref --short HEAD 2>/dev/null || git --no-optional-locks rev-parse --short HEAD 2>/dev/null); \
+            if [ "${BRANCH}" != "" ]; then \
+                echo -n "%{$fg_bold[cyan]%}(%{$fg_bold[red]%}${BRANCH}" \
+                && if [ "$(git config --get devcontainers-theme.show-dirty 2>/dev/null)" = 1 ] && \
+                    git --no-optional-locks ls-files --error-unmatch -m --directory --no-empty-directory -o --exclude-standard ":/*" > /dev/null 2>&1; then \
+                        echo -n " %{$fg_bold[yellow]%}✗"; \
+                fi \
+                && echo -n "%{$fg_bold[cyan]%})%{$reset_color%} "; \
+            fi; \
+        fi`'
+
+    # Terraform
+    if command -v terraform &> /dev/null; then
+      PROMPT+='`\
+          terraformVersion=$(terraform -version | grep Terraform | cut -d " " -f 2 | sed "s/v//"); \
+          echo -n "[ terraform: %{$fg[blue]%}${terraformVersion}%{$reset_color%} ] " \
+      `'
+    fi
+
+    # AWS SSO
+    if command -v aws-sso &> /dev/null; then
+      PROMPT+='`\
+          if [[ ${AWS_SSO_PROFILE} == *"development"* || ${AWS_SSO_PROFILE} == *"test"* ]]; then \
+            echo -n "[ aws: %{$fg[green]%}${AWS_SSO_PROFILE}@${AWS_DEFAULT_REGION}%{$reset_color%} ] "; \
+          elif [[ ${AWS_SSO_PROFILE} == *"preproduction"* ]]; then \
+            echo -n "[ aws: %{$fg[yellow]%}${AWS_SSO_PROFILE}@${AWS_DEFAULT_REGION}%{$reset_color%} ] "; \
+          elif [[ ${AWS_SSO_PROFILE} == *"production"* ]]; then \
+            echo -n "[ aws: %{$fg[red]%}${AWS_SSO_PROFILE}@${AWS_DEFAULT_REGION}%{$reset_color%} ] "; \
+          elif [[ ! -z ${AWS_SSO_PROFILE} ]]; then \
+            echo -n "[ aws: %{$fg[blue]%}${AWS_SSO_PROFILE}@${AWS_DEFAULT_REGION}%{$reset_color%} ] "; \
+          fi`'
+    fi
+
+    PROMPT+='%{$fg[white]%}$ %{$reset_color%}'
+    unset -f __zsh_prompt
+}
+__zsh_prompt
diff --git a/.devcontainer/features/src/base/src/usr/local/bin/devcontainer-utils b/.devcontainer/features/src/base/src/usr/local/bin/devcontainer-utils
new file mode 100644
index 00000000000..cc08938cf86
--- /dev/null
+++ b/.devcontainer/features/src/base/src/usr/local/bin/devcontainer-utils
@@ -0,0 +1,75 @@
+#!/usr/bin/env bash
+
+##################################################
+# Environment
+##################################################
+
+export DEBIAN_FRONTEND="noninteractive"
+
+##################################################
+# Function
+##################################################
+
+logger() {
+  local type="${1}"
+  local message="${2}"
+  timestamp=$(date --rfc-3339=seconds)
+  local timestamp
+
+  case "${type}" in
+  err | error)
+    echo "${timestamp} [ERROR] ${message}"
+    ;;
+  info | information)
+    echo "${timestamp} [INFO] ${message}"
+    ;;
+  warn | warning)
+    echo "${timestamp} [WARN] ${message}"
+    ;;
+  esac
+}
+
+get_system_architecture() {
+  systemArchitecture="$(uname -m)"
+  export systemArchitecture
+
+  case ${systemArchitecture} in
+  x86_64)
+    logger "info" "Architecture is x86_64"
+    export ARCHITECTURE="amd64"
+    ;;
+  aarch64 | armv8*)
+    logger "info" "Architecture is aarch64 or armv8"
+    export ARCHITECTURE="arm64"
+    ;;
+  *)
+    logger "error" "Architecture ${systemArchitecture} is not supported"
+    exit 1
+    ;;
+  esac
+}
+
+get_github_latest_tag() {
+  local repository="${1}"
+
+  repositoryLatestTag="$(curl --silent https://api.github.com/repos/"${repository}"/releases/latest | jq -r '.tag_name')"
+  export repositoryLatestTag
+
+  repositoryLatestTagStripV=${repositoryLatestTag//v/}
+
+  logger "info" "GitHub latest tag for ${repository} is ${repositoryLatestTag}"
+  export GITHUB_LATEST_TAG="${repositoryLatestTag}"
+  export GITHUB_LATEST_TAG_STRIP_V="${repositoryLatestTagStripV}"
+}
+
+apt_install() {
+  local packages="${1}"
+
+  apt-get update --yes
+
+  apt-get install --yes --no-install-recommends "${packages}"
+
+  apt-get clean
+
+  rm --force --recursive /var/lib/apt/lists/*
+}
diff --git a/.devcontainer/features/src/base/src/usr/local/etc/vscode-dev-containers/first-run-notice.txt b/.devcontainer/features/src/base/src/usr/local/etc/vscode-dev-containers/first-run-notice.txt
new file mode 100644
index 00000000000..f7cbb878554
--- /dev/null
+++ b/.devcontainer/features/src/base/src/usr/local/etc/vscode-dev-containers/first-run-notice.txt
@@ -0,0 +1,5 @@
+👋 Welcome! You are using the Modernisation Platform Environments dev container image.
+
+🆘 If you need help or assistance, please post in #devcontainer (https://moj.enterprise.slack.com/archives/C06DZ4F04JZ)
+
+🔍 To explore VS Code to its fullest, search using the Command Palette (Cmd/Ctrl + Shift + P or F1)
diff --git a/.devcontainer/features/src/terraform/devcontainer-feature.json b/.devcontainer/features/src/terraform/devcontainer-feature.json
index fdd9d16ebf3..f3d5cdcefec 100644
--- a/.devcontainer/features/src/terraform/devcontainer-feature.json
+++ b/.devcontainer/features/src/terraform/devcontainer-feature.json
@@ -25,5 +25,6 @@
         "editor.defaultFormatter": "hashicorp.terraform"
       }
     }
-  }
+  },
+  "installsAfter": ["./features/src/base"]
 }
diff --git a/.devcontainer/features/src/terraform/install-terraform-switcher.sh b/.devcontainer/features/src/terraform/install-terraform-switcher.sh
index eeabde47f45..4054d262c62 100644
--- a/.devcontainer/features/src/terraform/install-terraform-switcher.sh
+++ b/.devcontainer/features/src/terraform/install-terraform-switcher.sh
@@ -1,53 +1,47 @@
 #!/usr/bin/env bash
 
-set -euo pipefail
+set -e
 
+source /usr/local/bin/devcontainer-utils
+
+get_system_architecture
+
+TERRAFORM_SWITCHER_GITHUB_REPOSITORY="warrensbox/terraform-switcher"
 TERRAFORM_SWITCHER_VERSION=${TERRAFORMSWITCHERVERSION:-"latest"}
+
+TERRAFORM_GITHUB_REPOSITORY="hashicorp/terraform"
 TERRAFORM_VERSION=${TERRAFORMVERSION:-"latest"}
 
-case "$( uname -m )" in
-  x86_64)
-    export ARCHITECTURE="amd64" ;;
-  aarch64 | armv8*)
-    export ARCHITECTURE="arm64" ;;
-  *)
-  echo "(!) Architecture $( uname -m ) unsupported"; exit 1 ;;
-esac
 
 if [[ "${TERRAFORM_SWITCHER_VERSION}" == "latest" ]]; then
-  TERRAFORM_SWITCHER_VERSION=$(curl --silent "https://api.github.com/repos/warrensbox/terraform-switcher/releases/latest" | jq -r '.tag_name')
-  TERRAFORM_SWITCHER_VERSION_STRIP_V=$(echo "${TERRAFORM_SWITCHER_VERSION}" | sed 's/v//g')
+  get_github_latest_tag "${TERRAFORM_SWITCHER_GITHUB_REPOSITORY}"
+  TERRAFORM_SWITCHER_VERSION="${GITHUB_LATEST_TAG}"
+  TERRAFORM_SWITCHER_VERSION_STRIP_V="${GITHUB_LATEST_TAG_STRIP_V}"
+else
+  TERRAFORM_SWITCHER_VERSION_STRIP_V="${TERRAFORM_SWITCHER_VERSION#v}"
 fi
 
 if [[ "${TERRAFORM_VERSION}" == "latest" ]]; then
-  TERRAFORM_VERSION=$(curl --silent "https://api.github.com/repos/hashicorp/terraform/releases/latest" | jq -r '.tag_name' | sed 's/v//g')
+  get_github_latest_tag "${TERRAFORM_GITHUB_REPOSITORY}"
+  TERRAFORM_VERSION="${GITHUB_LATEST_TAG}"
+  TERRAFORM_VERSION_STRIP_V="${GITHUB_LATEST_TAG_STRIP_V}"
+else
+  TERRAFORM_VERSION_STRIP_V="${TERRAFORM_VERSION#v}"
 fi
 
-# Install
-
-curl --location https://github.com/warrensbox/terraform-switcher/releases/download/${TERRAFORM_SWITCHER_VERSION}/terraform-switcher_${TERRAFORM_SWITCHER_VERSION}_linux_${ARCHITECTURE}.tar.gz \
-  --output terraform-switcher_${TERRAFORM_SWITCHER_VERSION}_linux_${ARCHITECTURE}.tar.gz
-
-tar --gzip --extract --file terraform-switcher_${TERRAFORM_SWITCHER_VERSION}_linux_${ARCHITECTURE}.tar.gz
-
-mv tfswitch /usr/local/bin/tfswitch
-
-chmod +x /usr/local/bin/tfswitch
-
-rm --force --recursive CHANGELOG.md LICENSE README.md terraform-switcher_${TERRAFORM_SWITCHER_VERSION}_linux_${ARCHITECTURE}.tar.gz
-
-# Configure
+curl --fail-with-body --location "https://github.com/${TERRAFORM_SWITCHER_GITHUB_REPOSITORY}/releases/download/${TERRAFORM_SWITCHER_VERSION}/terraform-switcher_${TERRAFORM_SWITCHER_VERSION}_linux_${ARCHITECTURE}.tar.gz" \
+  --output "terraform-switcher_${TERRAFORM_SWITCHER_VERSION}_linux_${ARCHITECTURE}.tar.gz"
 
-mkdir --parents /home/vscode/.terraform-bin
+tar --gzip --extract --file "terraform-switcher_${TERRAFORM_SWITCHER_VERSION}_linux_${ARCHITECTURE}.tar.gz"
 
-chown --recursive vscode:vscode /home/vscode/.terraform-bin
+install --owner=vscode --group=vscode --mode=775 tfswitch /usr/local/bin/tfswitch
 
-cp $( dirname $0 )/src/home/vscode/.tfswitch.toml /home/vscode/.tfswitch.toml
+rm --force --recursive CHANGELOG.md LICENSE README.md "terraform-switcher_${TERRAFORM_SWITCHER_VERSION}_linux_${ARCHITECTURE}.tar.gz"
 
-chown vscode:vscode /home/vscode/.tfswitch.toml
+install --directory --owner=vscode --group=vscode /home/vscode/.terraform-bin
 
-su - vscode --command "tfswitch ${TERRAFORM_VERSION}"
+install --owner=vscode --group=vscode --mode=775 "$(dirname "${0}")"/src/home/vscode/.tfswitch.toml /home/vscode/.tfswitch.toml
 
-echo "export PATH=\"\${PATH}:\${HOME}/.terraform-bin\"" >> /home/vscode/.bashrc
+install --owner=vscode --group=vscode --mode=775 "$(dirname "${0}")"/src/home/vscode/.devcontainer/feature-completion/terraform.sh /home/vscode/.devcontainer/feature-completion/terraform.sh
 
-echo "complete -o nospace -C \${HOME}/.terraform-bin/terraform terraform" >> /home/vscode/.bashrc
+su - vscode --command "tfswitch ${TERRAFORM_VERSION_STRIP_V}"
diff --git a/.devcontainer/features/src/terraform/install.sh b/.devcontainer/features/src/terraform/install.sh
index b0102894ec5..a17de1b3fd5 100644
--- a/.devcontainer/features/src/terraform/install.sh
+++ b/.devcontainer/features/src/terraform/install.sh
@@ -1,3 +1,9 @@
 #!/usr/bin/env bash
 
-bash $( dirname $0 )/install-terraform-switcher.sh
+set -e
+
+source /usr/local/bin/devcontainer-utils
+
+logger "info" "Installing Terraform Switcher (version: ${TERRAFORMSWITCHERVERSION})"
+logger "info" "Installing Terraform (version: ${TERRAFORMVERSION})"
+bash "$(dirname "${0}")"/install-terraform-switcher.sh
diff --git a/.devcontainer/features/src/terraform/src/home/vscode/.devcontainer/feature-completion/terraform.sh b/.devcontainer/features/src/terraform/src/home/vscode/.devcontainer/feature-completion/terraform.sh
new file mode 100644
index 00000000000..03f408f46f8
--- /dev/null
+++ b/.devcontainer/features/src/terraform/src/home/vscode/.devcontainer/feature-completion/terraform.sh
@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+
+export PATH="${PATH}:${HOME}/.terraform-bin"
+
+complete -o nospace -C ${HOME}/.terraform-bin/terraform terraform
diff --git a/.devcontainer/features/test/Containerfile b/.devcontainer/features/test/Containerfile
new file mode 100644
index 00000000000..a14867d0b87
--- /dev/null
+++ b/.devcontainer/features/test/Containerfile
@@ -0,0 +1,5 @@
+FROM mcr.microsoft.com/devcontainers/base:ubuntu
+
+COPY .devcontainer/features/src/base/src/usr/local/bin/devcontainer-utils /usr/local/bin/devcontainer-utils
+
+RUN install --directory --owner=vscode --group=vscode /home/vscode/.devcontainer/feature-completion
diff --git a/.devcontainer/features/test/aws/test.sh b/.devcontainer/features/test/aws/test.sh
index a1c552f8c56..8fa5a42d0d2 100644
--- a/.devcontainer/features/test/aws/test.sh
+++ b/.devcontainer/features/test/aws/test.sh
@@ -5,6 +5,10 @@ set -e
 source dev-container-features-test-lib
 
 check "aws version" aws --version
+check "aws completions existence" stat /home/vscode/.devcontainer/feature-completion/aws.sh
+
 check "aws-sso version" aws-sso version
+check "aws-sso completions existence" stat /home/vscode/.devcontainer/feature-completion/aws-sso.sh
+check "aws-sso configuration existence" stat /home/vscode/.aws-sso/config.yaml
 
 reportResults
diff --git a/.devcontainer/features/test/base/test.sh b/.devcontainer/features/test/base/test.sh
new file mode 100644
index 00000000000..e07a01f2527
--- /dev/null
+++ b/.devcontainer/features/test/base/test.sh
@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+
+set -e
+
+source dev-container-features-test-lib
+
+check "devcontainer-utils file existence" stat /usr/local/bin/devcontainer-utils
+check "first-run-notice.txt file existence" stat /usr/local/etc/vscode-dev-containers/first-run-notice.txt
+check "devcontainer feature completion directory existence" stat /home/vscode/.devcontainer/feature-completion
+check "dev container theme file existence" stat /home/vscode/.oh-my-zsh/custom/themes/devcontainers.zsh-theme
+check "feature completion zshrc snippet existence" grep -q "dev container feature completion scripts" /home/vscode/.zshrc
+
+reportResults
diff --git a/.devcontainer/features/test/terraform/test.sh b/.devcontainer/features/test/terraform/test.sh
index ab6742054c8..5aeda20f551 100644
--- a/.devcontainer/features/test/terraform/test.sh
+++ b/.devcontainer/features/test/terraform/test.sh
@@ -6,5 +6,7 @@ source dev-container-features-test-lib
 
 check "tfswitch version" tfswitch --version
 check "terraform version" /home/vscode/.terraform-bin/terraform -version
+check "terraform completions existence" stat /home/vscode/.devcontainer/feature-completion/terraform.sh
+check "tfswitch configuration existence" stat /home/vscode/.tfswitch.toml
 
 reportResults
diff --git a/.github/workflows/devcontainer.yml b/.github/workflows/devcontainer.yml
new file mode 100644
index 00000000000..48cd9faa436
--- /dev/null
+++ b/.github/workflows/devcontainer.yml
@@ -0,0 +1,72 @@
+---
+name: Development Container
+
+on:
+  pull_request:
+    branches:
+      - main
+    paths:
+      - .github/workflows/devcontainer.yml
+      - .devcontainer/**
+  
+permissions: {}
+
+env:
+  DEVCONTAINER_CLI_VERSION: latest
+
+jobs:
+  build:
+    name: Build
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        id: checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Install devcontainers/cli
+        id: install_devcontainer_cli
+        run: npm install -g @devcontainers/cli@${{ env.DEVCONTAINER_CLI_VERSION }}
+
+      - name: devcontainer build
+        id: devcontainer_build
+        run: devcontainer build --workspace-folder .
+
+  test-features:
+    name: Test Features
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    strategy:
+      fail-fast: false
+      matrix:
+        feature:
+          - base
+          - aws
+          - terraform
+    steps:
+      - name: Checkout
+        id: checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Install devcontainers/cli
+        id: install_devcontainer_cli
+        run: npm install -g @devcontainers/cli@${{ env.DEVCONTAINER_CLI_VERSION }}
+
+      - name: Build Test Image
+        id: build_test_image
+        uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
+        with:
+          file: .devcontainer/features/test/Containerfile
+          load: true
+          tags: devcontainer
+
+      - name: Testing ${{ matrix.feature }}
+        id: test_feature
+        run: |
+          devcontainer features test \
+            --skip-scenarios \
+            --project-folder .devcontainer/features \
+            --features ${{ matrix.feature }} \
+            --base-image devcontainer
diff --git a/terraform/environments/cdpt-chaps/database.tf b/terraform/environments/cdpt-chaps/database.tf
index c1d41bf0d50..de75b22636b 100644
--- a/terraform/environments/cdpt-chaps/database.tf
+++ b/terraform/environments/cdpt-chaps/database.tf
@@ -58,15 +58,6 @@ resource "aws_security_group" "db" {
   }
 }
 
-resource "aws_security_group_rule" "allow_ec2_to_rds" {
-  type              = "ingress"
-  from_port         = 1433
-  to_port           = 1433
-  protocol          = "tcp"
-  source_security_group_id = aws_security_group.cluster_ec2.id
-  security_group_id = aws_security_group.db.id
-}
-
 data "aws_secretsmanager_secret" "db_password" {
   name = aws_secretsmanager_secret.chaps_secret.name
 }
diff --git a/terraform/environments/digital-prison-reporting/modules/dms_s3_v2/iam.tf b/terraform/environments/digital-prison-reporting/modules/dms_s3_v2/iam.tf
new file mode 100644
index 00000000000..a3633132976
--- /dev/null
+++ b/terraform/environments/digital-prison-reporting/modules/dms_s3_v2/iam.tf
@@ -0,0 +1,138 @@
+#DMS S3 Endpoint role
+resource "aws_iam_role" "dms-s3-role" {
+  count = var.setup_dms_endpoints && var.setup_dms_iam ? 1 : 0
+
+  name = "${var.project_id}-dms-${var.short_name}-s3-endpoint-role"
+  path = "/"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "dms.amazonaws.com"
+      },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+EOF
+}
+
+# Attach s3 target operation policy to the role
+resource "aws_iam_policy" "dms-s3-target-policy" {
+  count = var.setup_dms_endpoints && var.setup_dms_iam ? 1 : 0
+
+  name = "${var.project_id}-dms-${var.short_name}-s3-target-policy"
+
+  policy = <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "s3:*",
+                "kms:*"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
+EOF
+}
+
+#DMS Role with s3 Write Access
+resource "aws_iam_role_policy_attachment" "dms-s3-attachment" {
+  count = var.setup_dms_endpoints && var.setup_dms_iam ? 1 : 0
+
+  role       = aws_iam_role.dms-s3-role[0].name
+  policy_arn = aws_iam_policy.dms-s3-target-policy[0].arn
+}
+
+#DMS Operation s3 target role
+resource "aws_iam_role" "dms-operator-s3-target-role" {
+  count = var.setup_dms_endpoints && var.setup_dms_iam ? 1 : 0
+
+  name = "${var.project_id}-dms-${var.short_name}-operator-s3-target-role"
+  path = "/"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "dms.amazonaws.com"
+      },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+EOF
+}
+
+# Attach an admin policy to the Operator role
+resource "aws_iam_policy" "dms-operator-s3-policy" {
+  count = var.setup_dms_endpoints && var.setup_dms_iam ? 1 : 0
+
+  name = "${var.project_id}-dms-${var.short_name}-operator-s3-target-policy"
+
+  policy = <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "kms:*",
+                "cloudwatch:*",
+                "ec2:CreateNetworkInterface",
+                "ec2:DescribeAvailabilityZones",
+                "ec2:DescribeInternetGateways",
+                "ec2:DescribeSecurityGroups",
+                "ec2:DescribeSubnets",
+                "ec2:DescribeVpcs",
+                "ec2:DeleteNetworkInterface",
+                "ec2:ModifyNetworkInterfaceAttribute"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "s3:*Object*",
+                "s3:PutObjectTagging",
+                "s3:GetBucketLocation"
+            ],
+            "Resource": [
+                "arn:aws:s3::*:dpr-*/*",
+                "arn:aws:s3::*:dpr-*"
+            ]
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "s3:ListBucket",
+                "s3:ListAllMyBuckets",
+                "s3:ListAccessPoints",
+                "s3:ListJobs",
+                "s3:ListObjects"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
+EOF
+}
+
+#DMS Role with s3 Write Access
+resource "aws_iam_role_policy_attachment" "dms-operator-s3-attachment" {
+  count = var.setup_dms_endpoints && var.setup_dms_iam ? 1 : 0
+
+  role       = aws_iam_role.dms-operator-s3-target-role[0].name
+  policy_arn = aws_iam_policy.dms-operator-s3-policy[0].arn
+}
\ No newline at end of file
diff --git a/terraform/environments/digital-prison-reporting/modules/dms_s3_v2/main.tf b/terraform/environments/digital-prison-reporting/modules/dms_s3_v2/main.tf
new file mode 100644
index 00000000000..b16ce2a1764
--- /dev/null
+++ b/terraform/environments/digital-prison-reporting/modules/dms_s3_v2/main.tf
@@ -0,0 +1,142 @@
+### DMS replication instance
+resource "aws_dms_replication_instance" "dms-s3-target-instance" {
+  count = var.setup_dms_instance ? 1 : 0
+
+  allocated_storage            = var.replication_instance_storage
+  apply_immediately            = true
+  auto_minor_version_upgrade   = false
+  availability_zone            = var.availability_zone
+  engine_version               = var.replication_instance_version
+  multi_az                     = true
+  preferred_maintenance_window = var.replication_instance_maintenance_window
+  publicly_accessible          = false
+  replication_instance_class   = var.replication_instance_class
+  replication_instance_id      = "${var.name}-instance-${var.env}"
+  replication_subnet_group_id  = aws_dms_replication_subnet_group.dms-s3-target-subnet-group[0].id
+  vpc_security_group_ids       = aws_security_group.dms_s3_target_sec_group[*].id
+
+  tags = merge(
+    var.tags,
+  {
+    name = "${var.name}-instance-${var.env}"
+  })
+
+  timeouts {
+    create = "1h"
+    update = "1h"
+    delete = "1h"
+  }
+
+  depends_on = [
+    aws_dms_replication_subnet_group.dms-s3-target-subnet-group,
+    aws_security_group.dms_s3_target_sec_group
+  ]
+}
+
+# Create a subnet group using existing VPC subnets
+resource "aws_dms_replication_subnet_group" "dms-s3-target-subnet-group" {
+  count = var.setup_dms_instance ? 1 : 0
+
+  replication_subnet_group_description = "DMS replication subnet group"
+  replication_subnet_group_id          = "${var.name}-sg"
+  subnet_ids                           = var.subnet_ids
+}
+
+# Security Groups
+resource "aws_security_group" "dms_s3_target_sec_group" {
+  count = var.setup_dms_instance ? 1 : 0
+
+  name   = "${var.name}-sg"
+  vpc_id = var.vpc
+
+  ingress {
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+    cidr_blocks = var.vpc_cidr
+  }
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}
+
+### DMS Task
+# Create a new DMS replication instance
+data "template_file" "table-mappings" {
+  template = var.table_mappings
+
+  vars = {
+    input_schema = var.rename_rule_source_schema
+    output_space = var.rename_rule_output_space
+  }
+}
+
+resource "aws_dms_replication_task" "dms-replication" {
+  count = var.enable_replication_task ? 1 : 0
+
+  migration_type            = var.migration_type
+  replication_instance_arn  = var.dms_replication_instance
+  replication_task_id       = "${var.name}-task-${var.env}"
+  source_endpoint_arn       = var.dms_source_endpoint # aws_dms_endpoint.dms-s3-target-source[0].endpoint_arn
+  target_endpoint_arn       = var.dms_target_endpoint # aws_dms_s3_endpoint.dms-s3-target-endpoint[0].endpoint_arn
+  table_mappings            = data.template_file.table-mappings.rendered
+  replication_task_settings = var.replication_task_settings #JSON
+
+  tags = merge(
+    var.tags,
+  {
+    name = "${var.name}-task-${var.env}"
+  })
+
+}
+
+### DMS Endpoints
+# Create an endpoint for the source database
+resource "aws_dms_endpoint" "dms-s3-target-source" {
+  count = var.setup_dms_endpoints && var.setup_dms_nomis_endpoint ? 1 : 0
+
+  database_name = var.source_db_name
+  endpoint_id   = "${var.project_id}-dms-${var.short_name}-${var.dms_source_name}-source-endpoint"
+  endpoint_type = "source"
+  engine_name   = var.source_engine_name
+  password      = var.source_app_password
+  port          = var.source_db_port
+  server_name   = var.source_address
+  ssl_mode      = "none"
+  username      = var.source_app_username
+
+  extra_connection_attributes = var.extra_attributes
+
+  tags = merge(
+  var.tags,
+  {
+    Resource_Type = "DMS Source Endpoint"
+  })
+}
+
+resource "aws_dms_s3_endpoint" "dms-s3-target-endpoint" {
+  count = var.setup_dms_endpoints && var.setup_dms_s3_endpoint ? 1 : 0
+
+  endpoint_id                      = "${var.project_id}-dms-${var.short_name}-s3-target-endpoint"
+  endpoint_type                    = "target"
+  bucket_name                      = var.bucket_name
+  service_access_role_arn          = aws_iam_role.dms-s3-role[0].arn
+  data_format                      = "parquet"
+  cdc_path                         = "cdc"
+  timestamp_column_name            = "_timestamp"
+  parquet_timestamp_in_millisecond = false
+  include_op_for_full_load         = true
+
+  max_file_size           = 120000
+  cdc_max_batch_interval  = 10
+  cdc_inserts_and_updates = true
+
+  tags = merge(
+  var.tags,
+  {
+    Resource_Type = "DMS Target Endpoint"
+  })
+}
\ No newline at end of file
diff --git a/terraform/environments/digital-prison-reporting/modules/dms_s3_v2/outputs.tf b/terraform/environments/digital-prison-reporting/modules/dms_s3_v2/outputs.tf
new file mode 100644
index 00000000000..5f9f38e8096
--- /dev/null
+++ b/terraform/environments/digital-prison-reporting/modules/dms_s3_v2/outputs.tf
@@ -0,0 +1,36 @@
+# DMS Instance
+output "dms_instance_name" {
+  value = var.name
+}
+
+output "dms_replication_instance_arn" {
+  value = var.setup_dms_instance ? join("", aws_dms_replication_instance.dms-s3-target-instance.*.replication_instance_arn) : ""
+}
+
+output "dms_subnet_ids" {
+  value = var.subnet_ids
+}
+
+# DMS TASK
+output "dms_replication_task_name" {
+  value = "${var.project_id}-dms-task-${var.short_name}-${var.dms_source_name}-${var.dms_target_name}"
+}
+
+output "dms_replication_task_arn" {
+  value = var.enable_replication_task ? join("", aws_dms_replication_task.dms-replication.*.replication_task_arn) : ""
+}
+
+# DMS Endpoint
+output "dms_target_endpoint_arn" {
+  value = var.setup_dms_endpoints && var.setup_dms_s3_endpoint ? join("", aws_dms_s3_endpoint.dms-s3-target-endpoint.*.endpoint_arn): ""
+}
+
+output "dms_source_endpoint_arn" {
+  value = var.setup_dms_endpoints && var.setup_dms_nomis_endpoint ? join("", aws_dms_endpoint.dms-s3-target-source.*.endpoint_arn): ""
+}
+
+output "dms_s3_iam_policy_admin_arn" {
+  description = "The IAM Policy (ARN) admin of the DMS to S3 target"
+  #value       = concat(aws_iam_policy.dms-operator-s3-policy.*.arn, [""])[0]
+  value = var.setup_dms_endpoints && var.setup_dms_iam ? join("", aws_iam_policy.dms-operator-s3-policy.*.arn) : ""
+}
\ No newline at end of file
diff --git a/terraform/environments/digital-prison-reporting/modules/dms_s3_v2/variables.tf b/terraform/environments/digital-prison-reporting/modules/dms_s3_v2/variables.tf
new file mode 100644
index 00000000000..e20f1b51530
--- /dev/null
+++ b/terraform/environments/digital-prison-reporting/modules/dms_s3_v2/variables.tf
@@ -0,0 +1,279 @@
+
+variable "account_region" {
+  description = "Current AWS Region."
+  default     = "eu-west-2"
+}
+
+variable "account_id" {
+  description = "AWS Account ID."
+  default     = ""
+}
+
+variable "name" {
+  description = "DMS Replication name."
+  default     = ""
+}
+
+variable "setup_dms_instance" {
+  description = "Enable DMS Instance, True or False"
+  type        = bool
+  default     = false
+}
+
+variable "project_id" {
+  type        = string
+  description = "(Required) Project Short ID that will be used for resources."
+}
+
+variable "env" {
+  type        = string
+  description = "Env Type"
+}
+
+variable "tags" {
+  type        = map(string)
+  default     = {}
+  description = "(Optional) Key-value map of resource tags."
+}
+
+
+variable "availability_zones" {
+  default = [
+    {
+      0 = "eu-west-2a"
+    }
+  ]
+}
+
+
+variable "subnet_ids" {
+  description = "An List of VPC subnet IDs to use in the subnet group"
+  type        = list(string)
+  default     = []
+}
+
+variable "vpc" {
+  type        = string
+  default     = ""  
+}
+
+variable "availability_zone" {
+  default = null
+}
+
+variable "create" {
+  default = true
+}
+
+variable "create_iam_roles" {
+  default = true
+}
+
+variable "iam_role_permissions_boundary" {
+  description = "ARN of the policy that is used to set the permissions boundary for the role"
+  type        = string
+  default     = null
+}
+
+# Used in tagginga and naming the resources
+
+variable "stack_name" {
+  description = "The name of our application"
+  default     = "dblink"
+}
+
+variable "owner" {
+  description = "A group email address to be used in tags"
+  default     = "autobots@ga.gov.au"
+}
+
+#--------------------------------------------------------------
+# DMS general config
+#--------------------------------------------------------------
+
+variable "identifier" {
+  default     = "rds"
+  description = "Name of the database in the RDS"
+}
+
+#--------------------------------------------------------------
+# DMS Replication Instance
+#--------------------------------------------------------------
+
+variable "replication_instance_maintenance_window" {
+  description = "Maintenance window for the replication instance"
+  default     = "sun:10:30-sun:14:30"
+}
+
+variable "replication_instance_storage" {
+  description = "Size of the replication instance in GB"
+  default     = "10"
+}
+
+variable "replication_instance_version" {
+  description = "Engine version of the replication instance"
+  default     = "3.4.6"
+}
+
+variable "replication_instance_class" {
+  description = "Instance class of replication instance"
+  default     = "dms.t2.micro"
+}
+
+#--------------------------------------------------------------
+# Network
+#--------------------------------------------------------------
+
+variable "database_subnet_cidr" {
+  default     = ["10.26.25.208/28", "10.26.25.224/28", "10.26.25.240/28"]
+  description = "List of subnets to be used for databases"
+}
+
+variable "vpc_cidr" {
+  description = "CIDR for the  VPC"
+  type        = list(string)
+  default     = null
+}
+
+#--------------------------------------------------------------
+# DMS Task
+#--------------------------------------------------------------
+variable "table_mappings" {
+  type        = any
+  default     = ""
+}
+
+variable "replication_task_settings" {
+  type        = any
+  default     = {}
+}
+
+variable "rename_rule_source_schema" {
+  description = "The source schema we will rename to a target output 'space'"
+  type        = string
+  default     = ""
+}
+
+variable "rename_rule_output_space" {
+  description = "The name of the target output 'space' that the source schema will be renamed to"
+  type        = string
+  default     = ""
+}
+
+
+variable "enable_replication_task" {
+  description = "Enable DMS Replication Task, True or False"
+  type        = bool
+  default     = false
+}
+
+variable "migration_type" {
+  type        = string
+  description = "DMS Migration Type"
+  default     = ""
+}
+
+variable "dms_replication_instance" {
+  type        = string
+  default     = ""
+  description = "DMS Rep Instance ARN"
+}
+
+variable "dms_source_endpoint" {
+  type        = string
+  default     = ""
+}
+
+variable "dms_target_endpoint" {
+  type        = string
+  default     = ""
+}
+
+#--------------------------------------------------------------
+# DMS Endpoint
+#--------------------------------------------------------------
+
+variable "setup_dms_endpoints" {
+  description = "Enable DMS Endpoints, True or False"
+  type        = bool
+  default     = false    
+}
+
+variable "setup_dms_iam" {
+  description = "Enable DMS IAM, True or False"
+  type        = bool
+  default     = false
+}
+
+variable "setup_dms_nomis_endpoint" {
+  type    = bool
+  default = false
+}
+
+variable "setup_dms_s3_endpoint" {
+  type    = bool
+  default = false
+}
+
+variable "extra_attributes" {
+  type    = string
+  default = null
+}
+
+variable "source_db_name" {
+  description = "Name of the Source database"
+  default     = "oracle"
+}
+
+variable "dms_source_name" {
+  type        = string
+  default     = ""  
+}
+
+variable "dms_target_name" {
+  type        = string
+  default     = ""  
+}
+
+
+variable "short_name" {
+  type        = string
+  default     = ""  
+}
+
+variable "source_address" {
+  default     = ""
+  description = "Default Source Address"    
+}
+
+variable "bucket_name" {
+  type        = string
+  default     = ""  
+}
+
+
+variable "source_db_port" {
+  description = "The port the Application Server will access the database on"
+  default     = null
+}
+
+variable "source_engine" {
+  default     = "oracle-se2"
+  description = "Engine type, example values mysql, postgres"
+}
+
+variable "source_engine_name" {
+  default     = ""
+  description = "Engine name for DMS"
+}
+
+
+variable "source_app_password" {
+  description = "Password for the endpoint to access the source database"
+  default     = ""  
+}
+
+variable "source_app_username" {
+  description = "Username for the endpoint to access the source database"
+  default     = ""  
+}
diff --git a/terraform/environments/digital-prison-reporting/modules/domains/dms-endpoints/endpoints.tf b/terraform/environments/digital-prison-reporting/modules/domains/dms-endpoints/endpoints.tf
new file mode 100644
index 00000000000..cd35c1b3bca
--- /dev/null
+++ b/terraform/environments/digital-prison-reporting/modules/domains/dms-endpoints/endpoints.tf
@@ -0,0 +1,24 @@
+# DMS Module to Provision Endpoints
+module "dms_endpoints" {
+  source                   = "../../dms_s3_v2"
+
+  setup_dms_endpoints      = var.setup_dms_endpoints
+  setup_dms_iam            = var.setup_dms_iam
+  setup_dms_nomis_endpoint = var.setup_dms_nomis_endpoint
+  setup_dms_s3_endpoint    = var.setup_dms_s3_endpoint
+  source_engine_name       = var.source_engine_name
+  dms_source_name          = var.dms_source_name
+  dms_target_name          = var.dms_target_name
+  project_id               = var.project_id
+  env                      = var.env # common
+  short_name               = var.short_name
+  source_db_name           = var.source_db_name
+  source_app_username      = var.source_app_username
+  source_app_password      = var.source_app_password
+  source_address           = var.source_address
+  source_db_port           = var.source_db_port
+  extra_attributes         = var.extra_attributes
+  bucket_name              = var.bucket_name
+  
+  tags                     = var.tags
+}
\ No newline at end of file
diff --git a/terraform/environments/digital-prison-reporting/modules/domains/dms-endpoints/outputs.tf b/terraform/environments/digital-prison-reporting/modules/domains/dms-endpoints/outputs.tf
new file mode 100644
index 00000000000..810f984976d
--- /dev/null
+++ b/terraform/environments/digital-prison-reporting/modules/domains/dms-endpoints/outputs.tf
@@ -0,0 +1,12 @@
+output "dms_target_endpoint_arn" {
+  value = var.setup_dms_endpoints && var.setup_dms_s3_endpoint ? module.dms_endpoints.dms_target_endpoint_arn : ""
+}
+
+output "dms_source_endpoint_arn" {
+  value = var.setup_dms_endpoints && var.setup_dms_nomis_endpoint ? module.dms_endpoints.dms_source_endpoint_arn : ""
+}
+
+output "dms_s3_iam_policy_admin_arn" {
+  description = "The IAM Policy (ARN) admin of the DMS to S3 target"
+  value       = module.dms_endpoints.dms_s3_iam_policy_admin_arn
+}
\ No newline at end of file
diff --git a/terraform/environments/digital-prison-reporting/modules/domains/dms-endpoints/variables.tf b/terraform/environments/digital-prison-reporting/modules/domains/dms-endpoints/variables.tf
new file mode 100644
index 00000000000..cd61d5fbda7
--- /dev/null
+++ b/terraform/environments/digital-prison-reporting/modules/domains/dms-endpoints/variables.tf
@@ -0,0 +1,227 @@
+variable "setup_dms_endpoints" {
+  description = "Enable DMS Endpoints, True or False"
+  type        = bool
+  default     = false    
+}
+
+variable "setup_dms_iam" {
+  description = "Enable DMS IAM, True or False"
+  type        = bool
+  default     = false
+}
+
+variable "setup_dms_nomis_endpoint" {
+  type    = bool
+  default = false
+}
+
+variable "setup_dms_s3_endpoint" {
+  type    = bool
+  default = false
+}
+
+variable "project_id" {
+  type        = string
+  description = "(Required) Project Short ID that will be used for resources."
+}
+
+variable "env" {
+  type        = string
+  description = "Env Type"
+}
+
+variable "tags" {
+  type        = map(string)
+  default     = {}
+  description = "(Optional) Key-value map of resource tags."
+}
+
+variable "extra_attributes" {
+  type    = string
+  default = null
+}
+
+variable "dms_source_name" {
+  type        = string
+  default     = ""  
+}
+
+variable "dms_target_name" {
+  type        = string
+  default     = ""  
+}
+
+variable "short_name" {
+  type        = string
+  default     = ""  
+}
+
+variable "source_address" {
+  default     = ""
+  description = "Default Source Address"    
+}
+
+variable "bucket_name" {
+  type = string
+}
+
+variable "create" {
+  default = true
+}
+
+variable "create_iam_roles" {
+  default = true
+}
+
+variable "iam_role_permissions_boundary" {
+  description = "ARN of the policy that is used to set the permissions boundary for the role"
+  type        = string
+  default     = null
+}
+
+# Used in tagginga and naming the resources
+
+variable "stack_name" {
+  description = "The name of our application"
+  default     = "dblink"
+}
+
+variable "owner" {
+  description = "A group email address to be used in tags"
+  default     = "autobots@ga.gov.au"
+}
+
+#--------------------------------------------------------------
+# DMS general config
+#--------------------------------------------------------------
+
+variable "identifier" {
+  default     = "rds"
+  description = "Name of the database in the RDS"
+}
+
+#--------------------------------------------------------------
+# DMS target config
+#--------------------------------------------------------------
+
+variable "target_backup_retention_period" {
+  # Days
+  default     = "30"
+  description = "Retention of RDS backups"
+}
+
+variable "target_backup_window" {
+  default     = "14:00-17:00"
+  description = "RDS backup window"
+}
+
+variable "target_db_port" {
+  description = "The port the Application Server will access the database on"
+  default     = 5432
+}
+
+variable "target_engine_version" {
+  description = "Engine version"
+  default     = "9.3.14"
+}
+
+variable "target_instance_class" {
+  default     = "db.t2.micro"
+  description = "Instance class"
+}
+
+variable "target_maintenance_window" {
+  default     = "Mon:00:00-Mon:03:00"
+  description = "RDS maintenance window"
+}
+
+variable "target_rds_is_multi_az" {
+  description = "Create backup database in separate availability zone"
+  default     = "false"
+}
+
+variable "target_storage" {
+  default     = "10"
+  description = "Storage size in GB"
+}
+
+variable "target_storage_encrypted" {
+  description = "Encrypt storage or leave unencrypted"
+  default     = false
+}
+
+#variable "target_username" {
+#  description = "Username to access the target database"
+#}
+
+#--------------------------------------------------------------
+# DMS source config
+#--------------------------------------------------------------
+
+variable "source_app_password" {
+  description = "Password for the endpoint to access the source database"
+}
+
+variable "source_app_username" {
+  description = "Username for the endpoint to access the source database"
+}
+
+variable "source_db_name" {
+  description = "Name of the Source database"
+  default     = "oracle"
+}
+
+variable "source_db_port" {
+  description = "The port the Application Server will access the database on"
+  default     = null
+}
+
+variable "source_engine" {
+  default     = "oracle-se2"
+  description = "Engine type, example values mysql, postgres"
+}
+
+variable "source_engine_name" {
+  default     = ""
+  description = "Engine name for DMS"
+}
+
+variable "source_engine_version" {
+  description = "Engine version"
+  default     = "12.1.0.2.v8"
+}
+
+variable "source_instance_class" {
+  default     = "db.t2.micro"
+  description = "Instance class"
+}
+
+variable "source_maintenance_window" {
+  default     = "Mon:00:00-Mon:03:00"
+  description = "RDS maintenance window"
+}
+
+variable "source_password" {
+  description = "Password of the source database"
+  default     = ""
+}
+
+variable "source_rds_is_multi_az" {
+  description = "Create backup database in separate availability zone"
+  default     = "false"
+}
+
+variable "source_storage" {
+  default     = "10"
+  description = "Storage size in GB"
+}
+
+variable "source_storage_encrypted" {
+  description = "Encrypt storage or leave unencrypted"
+  default     = false
+}
+
+variable "source_username" {
+  description = "Username to access the source database"
+  default     = ""
+}
diff --git a/terraform/environments/digital-prison-reporting/modules/domains/dms-instance/dms-instance.tf b/terraform/environments/digital-prison-reporting/modules/domains/dms-instance/dms-instance.tf
new file mode 100644
index 00000000000..3d2cd00f969
--- /dev/null
+++ b/terraform/environments/digital-prison-reporting/modules/domains/dms-instance/dms-instance.tf
@@ -0,0 +1,18 @@
+# DMS Module to Provision Endpoints
+module "dms_instance" {
+  source                       = "../../dms_s3_v2"
+
+  name                         = var.name
+  project_id                   = var.project_id
+  env                          = var.env  
+  setup_dms_instance           = var.setup_dms_instance
+  availability_zones           = var.availability_zones
+  replication_instance_version = var.replication_instance_version
+  replication_instance_class   = var.replication_instance_class
+  subnet_ids                   = var.subnet_ids
+  vpc_cidr                     = var.vpc_cidr
+  vpc                          = var.vpc
+  short_name                   = var.short_name
+
+  tags = var.tags
+}
\ No newline at end of file
diff --git a/terraform/environments/digital-prison-reporting/modules/domains/dms-instance/outputs.tf b/terraform/environments/digital-prison-reporting/modules/domains/dms-instance/outputs.tf
new file mode 100644
index 00000000000..88d74fbbe9b
--- /dev/null
+++ b/terraform/environments/digital-prison-reporting/modules/domains/dms-instance/outputs.tf
@@ -0,0 +1,11 @@
+output "dms_subnet_ids" {
+  value = var.setup_dms_instance ? module.dms_instance.dms_subnet_ids : []
+}
+
+output "dms_instance_name" {
+  value = var.name
+}
+
+output "dms_replication_instance_arn" {
+  value = var.setup_dms_instance ? module.dms_instance.dms_replication_instance_arn : ""
+}
diff --git a/terraform/environments/digital-prison-reporting/modules/domains/dms-instance/variables.tf b/terraform/environments/digital-prison-reporting/modules/domains/dms-instance/variables.tf
new file mode 100644
index 00000000000..121f3da4524
--- /dev/null
+++ b/terraform/environments/digital-prison-reporting/modules/domains/dms-instance/variables.tf
@@ -0,0 +1,188 @@
+
+variable "account_region" {
+  description = "Current AWS Region."
+  default     = "eu-west-2"
+}
+
+variable "account_id" {
+  description = "AWS Account ID."
+  default     = ""
+}
+
+variable "dms_source_endpoint" {
+  type        = string
+  default     = ""
+}
+
+variable "dms_target_endpoint" {
+  type        = string
+  default     = ""
+}
+
+variable "name" {
+  description = "DMS Replication name."
+}
+
+variable "enable_replication_task" {
+  description = "Enable DMS Replication Task, True or False"
+  type        = bool
+  default     = false
+}
+
+variable "setup_dms_instance" {
+  description = "Enable DMS Instance, True or False"
+  type        = bool
+  default     = false
+}
+
+variable "project_id" {
+  type        = string
+  description = "(Required) Project Short ID that will be used for resources."
+}
+
+variable "env" {
+  type        = string
+  description = "Env Type"
+}
+
+variable "tags" {
+  type        = map(string)
+  default     = {}
+  description = "(Optional) Key-value map of resource tags."
+}
+
+variable "extra_attributes" {
+  type    = string
+  default = null
+}
+
+variable "dms_source_name" {
+  type = string
+  default = ""
+}
+
+variable "dms_target_name" {
+  type = string
+  default = ""
+}
+
+variable "short_name" {
+  type = string
+  default = ""
+}
+
+variable "migration_type" {
+  type        = string
+  description = "DMS Migration Type"
+  default     = ""
+}
+
+variable "availability_zones" {
+  default = [
+    {
+      0 = "eu-west-2a"
+    }
+  ]
+}
+
+variable "rename_rule_source_schema" {
+  description = "The source schema we will rename to a target output 'space'"
+  type        = string
+  default     = ""
+}
+
+variable "rename_rule_output_space" {
+  description = "The name of the target output 'space' that the source schema will be renamed to"
+  type        = string
+  default     = ""
+}
+
+
+variable "subnet_ids" {
+  description = "An List of VPC subnet IDs to use in the subnet group"
+  type        = list(string)
+  default     = []
+}
+
+variable "vpc" {
+  type        = string
+  default     = ""  
+}
+
+variable "availability_zone" {
+  default = null
+}
+
+variable "create" {
+  default = true
+}
+
+variable "create_iam_roles" {
+  default = true
+}
+
+variable "iam_role_permissions_boundary" {
+  description = "ARN of the policy that is used to set the permissions boundary for the role"
+  type        = string
+  default     = null
+}
+
+# Used in tagginga and naming the resources
+
+variable "stack_name" {
+  description = "The name of our application"
+  default     = "dblink"
+}
+
+variable "owner" {
+  description = "A group email address to be used in tags"
+  default     = "autobots@ga.gov.au"
+}
+
+#--------------------------------------------------------------
+# DMS Replication Instance
+#--------------------------------------------------------------
+
+variable "replication_instance_maintenance_window" {
+  description = "Maintenance window for the replication instance"
+  default     = "sun:10:30-sun:14:30"
+}
+
+variable "replication_instance_storage" {
+  description = "Size of the replication instance in GB"
+  default     = "10"
+}
+
+variable "replication_instance_version" {
+  description = "Engine version of the replication instance"
+  default     = "3.4.6"
+}
+
+variable "replication_instance_class" {
+  description = "Instance class of replication instance"
+  default     = "dms.t2.micro"
+}
+
+#--------------------------------------------------------------
+# DMS general config
+#--------------------------------------------------------------
+
+variable "identifier" {
+  default     = "rds"
+  description = "Name of the database in the RDS"
+}
+
+#--------------------------------------------------------------
+# Network
+#--------------------------------------------------------------
+
+variable "database_subnet_cidr" {
+  default     = ["10.26.25.208/28", "10.26.25.224/28", "10.26.25.240/28"]
+  description = "List of subnets to be used for databases"
+}
+
+variable "vpc_cidr" {
+  description = "CIDR for the  VPC"
+  type        = list(string)
+  default     = null
+}
\ No newline at end of file
diff --git a/terraform/environments/digital-prison-reporting/modules/domains/dms-task/dms-task.tf b/terraform/environments/digital-prison-reporting/modules/domains/dms-task/dms-task.tf
new file mode 100644
index 00000000000..3a88d846348
--- /dev/null
+++ b/terraform/environments/digital-prison-reporting/modules/domains/dms-task/dms-task.tf
@@ -0,0 +1,20 @@
+# DMS Module to Provision TASK
+module "dms_task" {
+  source                     = "../../dms_s3_v2"
+
+  enable_replication_task    = var.enable_replication_task
+  name                       = var.name
+  project_id                 = var.project_id
+  env                        = var.env
+  dms_replication_instance   = var.dms_replication_instance
+  migration_type             = var.migration_type
+  replication_task_settings  = var.replication_task_settings
+  table_mappings             = var.table_mappings
+  rename_rule_source_schema  = var.rename_rule_source_schema
+  rename_rule_output_space   = var.rename_rule_output_space
+  dms_source_endpoint        = var.dms_source_endpoint
+  dms_target_endpoint        = var.dms_target_endpoint
+  short_name                 = var.short_name
+
+  tags                       = var.tags
+}
\ No newline at end of file
diff --git a/terraform/environments/digital-prison-reporting/modules/domains/dms-task/outputs.tf b/terraform/environments/digital-prison-reporting/modules/domains/dms-task/outputs.tf
new file mode 100644
index 00000000000..361f1b56388
--- /dev/null
+++ b/terraform/environments/digital-prison-reporting/modules/domains/dms-task/outputs.tf
@@ -0,0 +1,7 @@
+output "dms_replication_task_name" {
+  value = var.enable_replication_task ? var.name : ""
+}
+
+output "dms_replication_task_arn" {
+  value = var.enable_replication_task ? module.dms_task.dms_replication_task_arn : ""
+}
\ No newline at end of file
diff --git a/terraform/environments/digital-prison-reporting/modules/domains/dms-task/variables.tf b/terraform/environments/digital-prison-reporting/modules/domains/dms-task/variables.tf
new file mode 100644
index 00000000000..e4198611dd9
--- /dev/null
+++ b/terraform/environments/digital-prison-reporting/modules/domains/dms-task/variables.tf
@@ -0,0 +1,76 @@
+variable "table_mappings" {
+  type        = any
+  default     = ""
+}
+
+variable "replication_task_settings" {
+  type        = any
+  default     = {}
+}
+
+variable "rename_rule_source_schema" {
+  description = "The source schema we will rename to a target output 'space'"
+  type        = string
+  default     = ""
+}
+
+variable "rename_rule_output_space" {
+  description = "The name of the target output 'space' that the source schema will be renamed to"
+  type        = string
+  default     = ""
+}
+
+variable "enable_replication_task" {
+  description = "Enable DMS Replication Task, True or False"
+  type        = bool
+  default     = false
+}
+
+variable "migration_type" {
+  type        = string
+  description = "DMS Migration Type"
+  default     = ""
+}
+
+variable "dms_replication_instance" {
+  type        = string
+  default     = ""
+  description = "DMS Rep Instance ARN"
+}
+
+variable "dms_source_endpoint" {
+  type        = string
+  default     = ""
+}
+
+variable "dms_target_endpoint" {
+  type        = string
+  default     = ""
+}
+
+variable "name" {
+  description   = "DMS Replication name."
+  default       = ""
+}
+
+variable "env" {
+  type        = string
+  description = "Env Type"
+}
+
+variable "project_id" {
+  type        = string
+  description = "(Required) Project Short ID that will be used for resources."
+}
+
+variable "tags" {
+  type        = map(string)
+  default     = {}
+  description = "(Optional) Key-value map of resource tags."
+}
+
+
+variable "short_name" {
+  type        = string
+  default     = ""  
+}
\ No newline at end of file
diff --git a/terraform/environments/digital-prison-reporting/modules/domains/ingestion-jobs/glue.tf b/terraform/environments/digital-prison-reporting/modules/domains/ingestion-jobs/glue.tf
new file mode 100644
index 00000000000..569ab93ba3a
--- /dev/null
+++ b/terraform/environments/digital-prison-reporting/modules/domains/ingestion-jobs/glue.tf
@@ -0,0 +1,108 @@
+# CDC JOB
+module "glue_reporting_hub_cdc_job" {
+  source                        = "../../glue_job"
+  create_job                    = var.setup_cdc_job
+  create_role                   = var.glue_cdc_create_role # Needs to Set to TRUE
+  name                          = var.glue_cdc_job_name
+  short_name                    = var.glue_cdc_job_short_name
+  command_type                  = "gluestreaming"
+  description                   = var.glue_cdc_description
+  create_security_configuration = var.glue_cdc_create_sec_conf
+  job_language                  = var.glue_cdc_language
+  checkpoint_dir                = var.glue_cdc_checkpoint_dir
+  temp_dir                      = var.glue_cdc_temp_dir
+  spark_event_logs              = var.glue_cdc_spark_event_logs
+  script_location               = "s3://${var.project_id}-artifact-store-${var.env}/build-artifacts/digital-prison-reporting-jobs/scripts/${var.script_version}"
+  enable_continuous_log_filter  = var.glue_cdc_enable_cont_log_filter
+  project_id                    = var.project_id
+  aws_kms_key                   = var.s3_kms_arn
+  execution_class               = var.glue_cdc_execution_class
+  additional_policies           = var.glue_cdc_additional_policies
+  worker_type                   = var.glue_cdc_job_worker_type
+  number_of_workers             = var.glue_cdc_job_num_workers
+  max_concurrent                = var.glue_cdc_max_concurrent
+  region                        = var.account_region
+  account                       = var.account_id
+  log_group_retention_in_days   = var.glue_cdc_log_group_retention_in_days
+
+  arguments = var.glue_cdc_arguments
+
+  tags = merge(
+    var.tags,
+    {
+      Resource_Type = "Glue Job"
+    }
+  )  
+}
+
+# Batch JOB
+# Glue Job, Reporting Hub Batch
+module "glue_reporting_hub_batch_job" {
+  source                        = "../../glue_job"
+  create_job                    = var.setup_batch_job
+  create_role                   = var.glue_batch_create_role # Needs to Set to TRUE
+  name                          = var.glue_batch_job_name
+  short_name                    = var.glue_batch_job_short_name
+  command_type                  = "glueetl"
+  description                   = var.glue_batch_description
+  create_security_configuration = var.glue_batch_create_sec_conf
+  job_language                  = var.glue_batch_language
+  temp_dir                      = var.glue_batch_temp_dir
+  spark_event_logs              = var.glue_batch_spark_event_logs
+  script_location               = "s3://${var.project_id}-artifact-store-${var.env}/build-artifacts/digital-prison-reporting-jobs/scripts/${var.script_version}"
+  enable_continuous_log_filter  = var.glue_batch_enable_cont_log_filter
+  project_id                    = var.project_id
+  aws_kms_key                   = var.s3_kms_arn
+  execution_class               = var.glue_batch_execution_class
+  additional_policies           = var.glue_batch_additional_policies
+  worker_type                   = var.glue_batch_job_worker_type
+  number_of_workers             = var.glue_batch_job_num_workers
+  max_concurrent                = var.glue_batch_max_concurrent #64
+  region                        = var.account_region
+  account                       = var.account_id
+  log_group_retention_in_days   = var.glue_batch_log_group_retention_in_days
+
+  arguments                     = var.glue_batch_arguments
+
+  tags = merge(
+    var.tags,
+    {
+      Resource_Type = "Glue Job"
+    }
+  ) 
+}
+
+# Hive Tables Creation JOB
+module "glue_hive_table_setup_job" {
+  source                        = "../../glue_job"
+  create_job                    = var.setup_hive_job
+  create_role                   = var.glue_hive_create_role # Needs to Set to TRUE
+  name                          = var.glue_hive_job_name
+  short_name                    = var.glue_hive_job_short_name
+  command_type                  = "glueetl"
+  description                   = var.glue_hive_description
+  create_security_configuration = var.glue_hive_create_sec_conf
+  job_language                  = "scala"
+  temp_dir                      = var.glue_hive_temp_dir
+  spark_event_logs              = var.glue_hive_spark_event_logs
+  script_location               = "s3://${var.project_id}-artifact-store-${var.env}/build-artifacts/digital-prison-reporting-jobs/scripts/${var.script_version}"
+  enable_continuous_log_filter  = var.glue_hive_enable_cont_log_filter
+  project_id                    = var.project_id
+  aws_kms_key                   = var.s3_kms_arn
+  execution_class               = var.glue_hive_execution_class
+  worker_type                   = var.glue_hive_job_worker_type
+  number_of_workers             = var.glue_hive_job_num_workers
+  max_concurrent                = var.glue_hive_max_concurrent #64
+  region                        = var.account_region
+  account                       = var.account_id
+  log_group_retention_in_days   = var.glue_hive_log_group_retention_in_days
+
+  arguments                     = var.glue_hive_arguments
+
+  tags = merge(
+    var.tags,
+    {
+      Resource_Type = "Glue Job"
+    }
+  )
+}
diff --git a/terraform/environments/digital-prison-reporting/modules/domains/ingestion-jobs/variables.tf b/terraform/environments/digital-prison-reporting/modules/domains/ingestion-jobs/variables.tf
new file mode 100644
index 00000000000..bb0f105726d
--- /dev/null
+++ b/terraform/environments/digital-prison-reporting/modules/domains/ingestion-jobs/variables.tf
@@ -0,0 +1,470 @@
+variable "project_id" {
+  type        = string
+  description = "(Required) Project Short ID that will be used for resources."
+}
+
+## Glue job BATCH
+variable "tags" {
+  type        = map(string)
+  default     = {}
+  description = "(Optional) Key-value map of resource tags."
+}
+
+variable "glue_batch_arguments" {
+  type    = map(any)
+  default = {}
+}
+
+variable "setup_batch_job" {
+  description = "Enable Batch Job, True or False"
+  type        = bool
+  default     = false  
+}
+
+variable "glue_batch_job_name" {
+  description = "Name of the Glue CDC Job"
+  default     = ""  
+}
+
+variable "glue_batch_job_short_name" {
+  description = "Name of the Glue CDC Job"
+  default     = ""  
+}
+
+variable "glue_batch_description" {
+  description = "Job Description"
+  default     = ""  
+}
+
+variable "glue_batch_create_sec_conf" {
+  type        = bool
+  default     = false
+  description = "(Optional) Create AWS Glue Security Configuration associated with the job."
+}
+
+variable "glue_batch_log_group_retention_in_days" {
+  type        = number
+  default     = 1
+  description = "(Optional) The default number of days log events retained in the glue job log group."
+}
+
+
+variable "glue_batch_language" {
+  type        = string
+  default     = "python"
+  description = "(Optional) The script programming language."
+
+  validation {
+    condition     = contains(["scala", "python"], var.glue_batch_language)
+    error_message = "Accepts a value of 'scala' or 'python'."
+  }
+}
+
+variable "glue_batch_temp_dir" {
+  type        = string
+  default     = null
+  description = "(Optional) Specifies an Amazon S3 path to a bucket that can be used as a temporary directory for the job."
+}
+
+variable "glue_batch_checkpoint_dir" {
+  type        = string
+  default     = null
+  description = "(Optional) Specifies an Amazon S3 path to a bucket that can be used as a Checkoint directory for the job."
+}
+
+variable "glue_batch_spark_event_logs" {
+  type        = string
+  default     = null
+  description = "(Optional) Specifies an Amazon S3 path to a bucket that can be used as a Spark Event Logs directory for the job."
+}
+
+variable "glue_batch_script_location" {
+  type        = string
+  description = "(Optional) Specifies the S3 path to a script that executes a job."
+  default     = ""
+}
+
+variable "glue_batch_enable_cont_log_filter" {
+  type        = bool
+  default     = true
+  description = "(Optional) Specifies a standard filter or no filter when you create or edit a job enabled for continuous logging."
+}
+
+variable "glue_batch_execution_class" {
+  default     = "STANDARD"
+  description = "Execution CLass Standard or FLex"
+}
+
+variable "glue_batch_job_worker_type" {
+  type        = string
+  default     = "G.1X"
+  description = "(Optional) The type of predefined worker that is allocated when a job runs."
+
+  validation {
+    condition     = contains(["Standard", "G.1X", "G.2X"], var.glue_batch_job_worker_type)
+    error_message = "Accepts a value of Standard, G.1X, or G.2X."
+  }
+}
+
+variable "glue_batch_job_num_workers" {
+  type        = number
+  default     = 2
+  description = "(Optional) The number of workers of a defined workerType that are allocated when a job runs."
+}
+
+variable "glue_batch_additional_policies" {
+  type        = string
+  default     = ""
+  description = "(Optional) The list of Policies used for this job."
+}
+
+variable "glue_batch_max_concurrent" {
+  type        = number
+  default     = 1
+  description = "(Optional) The maximum number of concurrent runs allowed for a job."
+}
+
+variable "glue_batch_create_role" {
+  type        = bool
+  default     = false
+  description = "(Optional) Create AWS IAM role associated with the job."
+}
+
+
+# CDC
+
+## Glue job CDC
+
+variable "glue_cdc_arguments" {
+  type    = map(any)
+  default = {}
+}
+
+variable "setup_cdc_job" {
+  description = "Enable CDC Job, True or False"
+  type        = bool
+  default     = false  
+}
+
+variable "glue_cdc_job_name" {
+  description = "Name of the Glue CDC Job"
+  default     = ""  
+}
+
+variable "glue_cdc_job_short_name" {
+  description = "Name of the Glue CDC Job"
+  default     = ""  
+}
+
+variable "glue_cdc_description" {
+  description = "Job Description"
+  default     = ""  
+}
+
+variable "glue_cdc_create_sec_conf" {
+  type        = bool
+  default     = false
+  description = "(Optional) Create AWS Glue Security Configuration associated with the job."
+}
+
+variable "glue_cdc_log_group_retention_in_days" {
+  type        = number
+  default     = 1
+  description = "(Optional) The default number of days log events retained in the glue job log group."
+}
+
+
+variable "glue_cdc_language" {
+  type        = string
+  default     = "python"
+  description = "(Optional) The script programming language."
+
+  validation {
+    condition     = contains(["scala", "python"], var.glue_cdc_language)
+    error_message = "Accepts a value of 'scala' or 'python'."
+  }
+}
+
+variable "glue_cdc_temp_dir" {
+  type        = string
+  default     = null
+  description = "(Optional) Specifies an Amazon S3 path to a bucket that can be used as a temporary directory for the job."
+}
+
+variable "glue_cdc_checkpoint_dir" {
+  type        = string
+  default     = null
+  description = "(Optional) Specifies an Amazon S3 path to a bucket that can be used as a Checkoint directory for the job."
+}
+
+variable "glue_cdc_spark_event_logs" {
+  type        = string
+  default     = null
+  description = "(Optional) Specifies an Amazon S3 path to a bucket that can be used as a Spark Event Logs directory for the job."
+}
+
+variable "glue_cdc_script_location" {
+  type        = string
+  description = "(Optional) Specifies the S3 path to a script that executes a job."
+  default     = ""
+}
+
+variable "glue_cdc_enable_cont_log_filter" {
+  type        = bool
+  default     = true
+  description = "(Optional) Specifies a standard filter or no filter when you create or edit a job enabled for continuous logging."
+}
+
+variable "s3_kms_arn" {
+  type        = string
+  default     = ""
+  description = "(Optional) The ARN of the kMS Key associated to S3"
+}
+
+variable "glue_cdc_execution_class" {
+  default     = "STANDARD"
+  description = "Execution CLass Standard or FLex"
+}
+
+variable "glue_cdc_job_worker_type" {
+  type        = string
+  default     = "G.1X"
+  description = "(Optional) The type of predefined worker that is allocated when a job runs."
+
+  validation {
+    condition     = contains(["Standard", "G.1X", "G.2X"], var.glue_cdc_job_worker_type)
+    error_message = "Accepts a value of Standard, G.1X, or G.2X."
+  }
+}
+
+variable "glue_cdc_job_num_workers" {
+  type        = number
+  default     = 2
+  description = "(Optional) The number of workers of a defined workerType that are allocated when a job runs."
+}
+
+variable "glue_cdc_additional_policies" {
+  type        = string
+  default     = ""
+  description = "(Optional) The list of Policies used for this job."
+}
+
+variable "glue_cdc_max_concurrent" {
+  type        = number
+  default     = 1
+  description = "(Optional) The maximum number of concurrent runs allowed for a job."
+}
+
+variable "account_region" {
+  description = "Current AWS Region."
+  default     = "eu-west-2"
+}
+
+variable "account_id" {
+  description = "AWS Account ID."
+  default     = ""
+}
+
+variable "glue_cdc_create_role" {
+  type        = bool
+  default     = false
+  description = "(Optional) Create AWS IAM role associated with the job."
+}
+
+# Lambda
+variable "setup_step_function_notification_lambda" {
+  description = "Enable Step Function Notification Lambda, True or False ?"
+  type        = bool
+  default     = false
+}
+
+variable "step_function_notification_lambda" {
+  description = "Name for Notification Lambda Name"
+  type        = string
+  default     = ""
+}
+
+variable "s3_file_transfer_lambda_code_s3_bucket" {
+  description = "S3 File Transfer Lambda Code Bucket ID"
+  type        = string
+  default     = ""
+}
+
+variable "reporting_lambda_code_s3_key"{
+  description = "S3 File Transfer Lambda Code Bucket KEY"
+  type        = string
+  default     = ""  
+}
+
+variable "step_function_notification_lambda_handler" {
+  description = "Notification Lambda Handler"
+  type        = string
+  default     = "uk.gov.justice.digital.lambda.StepFunctionDMSNotificationLambda::handleRequest" 
+}
+
+variable "step_function_notification_lambda_runtime" {
+  description = "Lambda Runtime"
+  type        = string
+  default     = "java11"    
+}
+
+variable "step_function_notification_lambda_policies" {
+  description = "An List of Notification Lambda Policies"
+  type        = list(string)
+  default     = []  
+}
+
+variable "step_function_notification_lambda_tracing" {
+  description = "Lambda Tracing"
+  type        = string
+  default     = "Active"
+}
+
+variable "step_function_notification_lambda_trigger" {
+  description = "Name for Notification Lambda Trigger Name"
+  type        = string
+  default     = ""
+}
+
+variable "lambda_subnet_ids" {
+  description = "Lambda Subnet ID's"
+  type        = list(string)
+  default     = []
+}
+
+variable "lambda_security_group_ids" {
+  description = "Lambda Security Group ID's"
+  type        = list(string)
+  default     = []
+}
+
+variable "env" {
+  type        = string
+  description = "Env Type"
+}
+
+variable "script_version" {}
+variable "jar_version" {}
+
+# HIVE
+
+## Glue job hive
+variable "glue_hive_arguments" {
+  type    = map(any)
+  default = {}
+}
+
+variable "setup_hive_job" {
+  description = "Enable hive Job, True or False"
+  type        = bool
+  default     = false  
+}
+
+variable "glue_hive_job_name" {
+  description = "Name of the Glue CDC Job"
+  default     = ""  
+}
+
+variable "glue_hive_job_short_name" {
+  description = "Name of the Glue CDC Job"
+  default     = ""  
+}
+
+variable "glue_hive_description" {
+  description = "Job Description"
+  default     = ""  
+}
+
+variable "glue_hive_create_sec_conf" {
+  type        = bool
+  default     = false
+  description = "(Optional) Create AWS Glue Security Configuration associated with the job."
+}
+
+variable "glue_hive_log_group_retention_in_days" {
+  type        = number
+  default     = 1
+  description = "(Optional) The default number of days log events retained in the glue job log group."
+}
+
+
+variable "glue_hive_language" {
+  type        = string
+  default     = "python"
+  description = "(Optional) The script programming language."
+
+  validation {
+    condition     = contains(["scala", "python"], var.glue_hive_language)
+    error_message = "Accepts a value of 'scala' or 'python'."
+  }
+}
+
+variable "glue_hive_temp_dir" {
+  type        = string
+  default     = null
+  description = "(Optional) Specifies an Amazon S3 path to a bucket that can be used as a temporary directory for the job."
+}
+
+variable "glue_hive_checkpoint_dir" {
+  type        = string
+  default     = null
+  description = "(Optional) Specifies an Amazon S3 path to a bucket that can be used as a Checkoint directory for the job."
+}
+
+variable "glue_hive_spark_event_logs" {
+  type        = string
+  default     = null
+  description = "(Optional) Specifies an Amazon S3 path to a bucket that can be used as a Spark Event Logs directory for the job."
+}
+
+variable "glue_hive_script_location" {
+  type        = string
+  description = "(Optional) Specifies the S3 path to a script that executes a job."
+  default     = ""
+}
+
+variable "glue_hive_enable_cont_log_filter" {
+  type        = bool
+  default     = true
+  description = "(Optional) Specifies a standard filter or no filter when you create or edit a job enabled for continuous logging."
+}
+
+variable "glue_hive_execution_class" {
+  default     = "STANDARD"
+  description = "Execution CLass Standard or FLex"
+}
+
+variable "glue_hive_job_worker_type" {
+  type        = string
+  default     = "G.1X"
+  description = "(Optional) The type of predefined worker that is allocated when a job runs."
+
+  validation {
+    condition     = contains(["Standard", "G.1X", "G.2X"], var.glue_hive_job_worker_type)
+    error_message = "Accepts a value of Standard, G.1X, or G.2X."
+  }
+}
+
+variable "glue_hive_job_num_workers" {
+  type        = number
+  default     = 2
+  description = "(Optional) The number of workers of a defined workerType that are allocated when a job runs."
+}
+
+variable "glue_hive_additional_policies" {
+  type        = string
+  default     = ""
+  description = "(Optional) The list of Policies used for this job."
+}
+
+variable "glue_hive_max_concurrent" {
+  type        = number
+  default     = 1
+  description = "(Optional) The maximum number of concurrent runs allowed for a job."
+}
+
+variable "glue_hive_create_role" {
+  type        = bool
+  default     = false
+  description = "(Optional) Create AWS IAM role associated with the job."
+}
diff --git a/terraform/environments/digital-prison-reporting/modules/domains/ingestion-pipeline/pipeline.tf b/terraform/environments/digital-prison-reporting/modules/domains/ingestion-pipeline/pipeline.tf
new file mode 100644
index 00000000000..ee3d79c2282
--- /dev/null
+++ b/terraform/environments/digital-prison-reporting/modules/domains/ingestion-pipeline/pipeline.tf
@@ -0,0 +1,145 @@
+# Data Ingest Pipeline Step Function
+module "data_ingestion_pipeline" {
+  source = "../../step_function"
+
+  enable_step_function = var.setup_data_ingestion_pipeline
+  step_function_name   = var.data_ingestion_pipeline
+  dms_task_time_out    = var.pipeline_dms_task_time_out
+
+  additional_policies = var.pipeline_additional_policies
+
+  # Send this block to the calling repo Pipeline
+  #depends_on = [
+  #  aws_iam_policy.invoke_lambda_policy,
+  #  aws_iam_policy.start_dms_task_policy,
+  #  aws_iam_policy.trigger_glue_job_policy,
+  #  module.dms_nomis_to_s3_ingestor.dms_replication_task_arn,
+  #  module.glue_reporting_hub_batch_job.name,
+  #  module.glue_reporting_hub_cdc_job.name,
+  #  module.glue_hive_table_creation_job.name,
+  #  module.s3_file_transfer_lambda.lambda_function,
+  #  module.step_function_notification_lambda.lambda_function
+  #]
+
+  definition = jsonencode(
+    {
+      "Comment" : "Data Ingestion Pipeline Step Function",
+      "StartAt" : "Start DMS Replication Task",
+      "States" : {
+        "Start DMS Replication Task" : {
+          "Type" : "Task",
+          "Resource" : "arn:aws:states:::aws-sdk:databasemigration:startReplicationTask",
+          "Parameters" : {
+            "ReplicationTaskArn" : var.dms_replication_task_arn,
+            "StartReplicationTaskType" : "reload-target"
+          },
+          "Next" : "Invoke DMS State Control Lambda"
+        },
+        "Invoke DMS State Control Lambda" : {
+          "Type" : "Task",
+          "TimeoutSeconds" : var.pipeline_dms_task_time_out,
+          "Resource" : "arn:aws:states:::lambda:invoke.waitForTaskToken",
+          "Parameters" : {
+            "Payload" : {
+              "token.$" : "$$.Task.Token",
+              "replicationTaskArn" : var.dms_replication_task_arn
+            },
+            "FunctionName" : var.pipeline_notification_lambda_function
+          },
+          "Retry" : [
+            {
+              "ErrorEquals" : [
+                "Lambda.ServiceException",
+                "Lambda.AWSLambdaException",
+                "Lambda.SdkClientException",
+                "Lambda.TooManyRequestsException"
+              ],
+              "IntervalSeconds" : 60,
+              "MaxAttempts" : 2,
+              "BackoffRate" : 2
+            }
+          ],
+          "Next" : "Start Glue Batch Job"
+        },
+        "Start Glue Batch Job" : {
+          "Type" : "Task",
+          "Resource" : "arn:aws:states:::glue:startJobRun.sync",
+          "Parameters" : {
+            "JobName" : var.glue_reporting_hub_batch_jobname,
+            "Arguments" : {
+              "--dpr.config.s3.bucket" : var.s3_glue_bucket_id,
+              "--dpr.config.key" : var.domain
+            }
+          },
+          "Next" : "Invoke S3 File Transfer Lambda"
+        },
+        "Invoke S3 File Transfer Lambda" : {
+          "Type" : "Task",
+          "Resource" : "arn:aws:states:::lambda:invoke.waitForTaskToken",
+          "Parameters" : {
+            "Payload" : {
+              "token.$" : "$$.Task.Token",
+              "sourceBucket" : var.s3_raw_bucket_id,
+              "destinationBucket" : var.s3_raw_archive_bucket_id,
+              "config" : {
+                "bucket" : var.s3_glue_bucket_id,
+                "key" : var.domain
+              }              
+            },
+            "FunctionName" : var.s3_file_transfer_lambda_function
+          },
+          "Retry" : [
+            {
+              "ErrorEquals" : [
+                "Lambda.ServiceException",
+                "Lambda.AWSLambdaException",
+                "Lambda.SdkClientException",
+                "Lambda.TooManyRequestsException"
+              ],
+              "IntervalSeconds" : 600,
+              "MaxAttempts" : 2,
+              "BackoffRate" : 2
+            }
+          ],
+          "Next" : "Create Hive Tables"
+        },
+        "Create Hive Tables" : {
+          "Type" : "Task",
+          "Resource" : "arn:aws:states:::glue:startJobRun.sync",
+          "Parameters" : {
+            "JobName" : var.glue_hive_table_creation_jobname,
+            "Arguments" : {
+              "--dpr.config.s3.bucket" : var.s3_glue_bucket_id,
+              "--dpr.config.key" : var.domain
+            }            
+          },
+          "Next" : "Resume DMS Replication Task"
+        },
+        "Resume DMS Replication Task" : {
+          "Type" : "Task",
+          "Resource" : "arn:aws:states:::aws-sdk:databasemigration:startReplicationTask",
+          "Parameters" : { 
+            "ReplicationTaskArn" : var.dms_replication_task_arn,
+            "StartReplicationTaskType" : "resume-processing"
+          },
+          "Next" : "Start Glue Streaming Job"
+        },
+        "Start Glue Streaming Job" : {
+          "Type" : "Task",
+          "Resource" : "arn:aws:states:::glue:startJobRun",
+          "Parameters" : {
+            "JobName" : var.glue_reporting_hub_cdc_jobname,
+            "Arguments" : {
+              "--dpr.config.s3.bucket" : var.s3_glue_bucket_id,
+              "--dpr.config.key" : var.domain
+            }            
+          },
+          "End" : true
+        }
+      }
+    }
+  )
+
+  tags = var.tags
+
+}
\ No newline at end of file
diff --git a/terraform/environments/digital-prison-reporting/modules/domains/ingestion-pipeline/variables.tf b/terraform/environments/digital-prison-reporting/modules/domains/ingestion-pipeline/variables.tf
new file mode 100644
index 00000000000..0bd69da34bd
--- /dev/null
+++ b/terraform/environments/digital-prison-reporting/modules/domains/ingestion-pipeline/variables.tf
@@ -0,0 +1,86 @@
+# STEP FUNCTION, Pipeline
+variable "setup_data_ingestion_pipeline"  {
+  description = "Enable Data Ingestion Pipeline, True or False ?"
+  type        = bool
+  default     = false
+}
+
+variable "data_ingestion_pipeline"  {
+  description = "Name for Data Ingestion Pipeline"
+  type        = string
+  default     = ""  
+}
+
+variable "pipeline_dms_task_time_out"  {
+  description = "DMS Task Timeout"
+  type        = number
+  default     = 300
+}
+
+variable "pipeline_additional_policies" {
+  description = "Pipeline Additional policies"
+  type        = list(string)
+  default     = []
+}
+
+variable "dms_replication_task_arn" {}
+
+variable "pipeline_notification_lambda_function" {
+  description = "Pipeline Notification Lambda Name"
+  type        = string
+  default     = ""  
+}
+
+variable "glue_reporting_hub_batch_jobname" {
+  description = "Glue Reporting Hub Batch JobName"
+  type        = string
+  default     = ""  
+}
+
+variable "glue_reporting_hub_cdc_jobname" {
+  description = "Glue Reporting Hub CDC JobName"
+  type        = string
+  default     = ""  
+}
+
+variable "s3_glue_bucket_id" {
+  description = "S3, Glue Bucket ID"
+  type        = string
+  default     = ""  
+}
+
+variable "s3_raw_bucket_id" {
+  description = "S3, RAW Bucket ID"
+  type        = string
+  default     = ""  
+}
+
+variable "s3_raw_archive_bucket_id" {
+  description = "S3, RAW Archive Bucket ID"
+  type        = string
+  default     = ""  
+}
+
+variable "s3_file_transfer_lambda_function" {
+  description = "S3 File Transfer Lambda Function Name"
+  type        = string
+  default     = "" 
+}
+
+variable "glue_hive_table_creation_jobname" {
+  description = "Glue Hive Table Creation JobName"
+  type        = string
+  default     = "" 
+}
+
+variable "tags" {
+  type        = map(string)
+  default     = {}
+  description = "(Optional) Key-value map of resource tags."
+}
+
+variable "domain" {
+  type        = string
+  default     = ""
+  description = "Domain Name"
+}
\ No newline at end of file
diff --git a/terraform/environments/digital-prison-reporting/modules/domains/pipeline-lambda/lambda.tf b/terraform/environments/digital-prison-reporting/modules/domains/pipeline-lambda/lambda.tf
new file mode 100644
index 00000000000..3c821e59f89
--- /dev/null
+++ b/terraform/environments/digital-prison-reporting/modules/domains/pipeline-lambda/lambda.tf
@@ -0,0 +1,48 @@
+# Lambda which notifies step function when DMS task stops
+module "step_function_notification_lambda" {
+  source = "../../lambdas/generic"
+
+  enable_lambda = var.setup_step_function_notification_lambda
+  name          = var.step_function_notification_lambda
+  s3_bucket     = var.s3_file_transfer_lambda_code_s3_bucket
+  s3_key        = var.reporting_lambda_code_s3_key
+  handler       = var.step_function_notification_lambda_handler
+  runtime       = var.step_function_notification_lambda_runtime
+  policies      = var.step_function_notification_lambda_policies
+  tracing       = var.step_function_notification_lambda_tracing
+  timeout       = 300 # 5 minutes
+
+  vpc_settings = {
+    subnet_ids = var.lambda_subnet_ids   # NEW
+    security_group_ids = var.lambda_security_group_ids # NEW
+  }
+
+  tags = merge(
+    var.tags,
+    {
+      Resource_Group = "ingestion-pipeline"
+      Resource_Type  = "Lambda"
+      Name           = var.step_function_notification_lambda
+    }
+  )
+}
+
+module "step_function_notification_lambda_trigger" {
+  source = "../../lambda_trigger"
+
+  enable_lambda_trigger = var.setup_step_function_notification_lambda
+
+  event_name            = var.step_function_notification_lambda_trigger
+  lambda_function_arn   = module.step_function_notification_lambda.lambda_function
+  lambda_function_name  = module.step_function_notification_lambda.lambda_name
+
+  trigger_event_pattern = jsonencode(
+    {
+      "source" : ["aws.dms"],
+      "detail-type" : ["DMS Replication Task State Change"],
+      "detail" : {
+        "eventId" : ["DMS-EVENT-0079"] # https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Events.html
+      }
+    }
+  )
+}
diff --git a/terraform/environments/digital-prison-reporting/modules/domains/pipeline-lambda/variables.tf b/terraform/environments/digital-prison-reporting/modules/domains/pipeline-lambda/variables.tf
new file mode 100644
index 00000000000..ef24cb02dd5
--- /dev/null
+++ b/terraform/environments/digital-prison-reporting/modules/domains/pipeline-lambda/variables.tf
@@ -0,0 +1,72 @@
+# Lambda
+variable "setup_step_function_notification_lambda" {
+  description = "Enable Step Function Notification Lambda, True or False ?"
+  type        = bool
+  default     = false
+}
+
+variable "step_function_notification_lambda" {
+  description = "Name for Notification Lambda Name"
+  type        = string
+  default     = ""
+}
+
+variable "s3_file_transfer_lambda_code_s3_bucket" {
+  description = "S3 File Transfer Lambda Code Bucket ID"
+  type        = string
+  default     = ""
+}
+
+variable "reporting_lambda_code_s3_key"{
+  description = "S3 File Transfer Lambda Code Bucket KEY"
+  type        = string
+  default     = ""  
+}
+
+variable "step_function_notification_lambda_handler" {
+  description = "Notification Lambda Handler"
+  type        = string
+  default     = "uk.gov.justice.digital.lambda.StepFunctionDMSNotificationLambda::handleRequest" 
+}
+
+variable "step_function_notification_lambda_runtime" {
+  description = "Lambda Runtime"
+  type        = string
+  default     = "java11"    
+}
+
+variable "step_function_notification_lambda_policies" {
+  description = "An List of Notification Lambda Policies"
+  type        = list(string)
+  default     = []  
+}
+
+variable "step_function_notification_lambda_tracing" {
+  description = "Lambda Tracing"
+  type        = string
+  default     = "Active"
+}
+
+variable "step_function_notification_lambda_trigger" {
+  description = "Name for Notification Lambda Trigger Name"
+  type        = string
+  default     = ""
+}
+
+variable "lambda_subnet_ids" {
+  description = "Lambda Subnet ID's"
+  type        = list(string)
+  default     = []
+}
+
+variable "lambda_security_group_ids" {
+  description = "Lambda Security Group ID's"
+  type        = list(string)
+  default     = []
+}
+
+variable "tags" {
+  type        = map(string)
+  default     = {}
+  description = "(Optional) Key-value map of resource tags."
+}
\ No newline at end of file
diff --git a/terraform/environments/digital-prison-reporting/modules/glue_job/main.tf b/terraform/environments/digital-prison-reporting/modules/glue_job/main.tf
index ad910ed6fa0..01ce344f632 100644
--- a/terraform/environments/digital-prison-reporting/modules/glue_job/main.tf
+++ b/terraform/environments/digital-prison-reporting/modules/glue_job/main.tf
@@ -5,7 +5,7 @@ locals {
     "--TempDir"                          = var.temp_dir
     "--checkpoint.location"              = var.checkpoint_dir
     "--spark-event-logs-path"            = var.spark_event_logs
-    "--continuous-log-logGroup"          = aws_cloudwatch_log_group.job.name
+    "--continuous-log-logGroup"          = try(aws_cloudwatch_log_group.job[0].name, "null")
     "--enable-continuous-cloudwatch-log" = "true"
     "--enable-continuous-log-filter"     = "true"
     "--enable-glue-datacatalog"          = "true"
@@ -173,40 +173,50 @@ data "aws_iam_policy_document" "extra-policy-document" {
 }
 
 resource "aws_iam_policy" "additional-policy" {
+  count = var.create_role && var.create_job ? 1 : 0
+
   name        = "${var.name}-policy"
   description = "Extra Policy for AWS Glue Job"
   policy      = data.aws_iam_policy_document.extra-policy-document.json
 }
 
 resource "aws_iam_role_policy_attachment" "glue_policies" {
-  for_each = toset([
-    "arn:aws:iam::${var.account}:policy/${aws_iam_policy.additional-policy.name}",
+  for_each = var.create_role ? toset([
+    try("arn:aws:iam::${var.account}:policy/${aws_iam_policy.additional-policy[0].name}", null),
     "arn:aws:iam::aws:policy/service-role/AWSGlueServiceRole"
-  ])
+  ]) : []
 
-  role       = var.create_role ? join("", aws_iam_role.glue-service-role.*.name) : var.role_name
+  role       =  var.create_job ? join("", aws_iam_role.glue-service-role.*.name) : var.role_name
   policy_arn = each.value
 }
 
 resource "aws_cloudwatch_log_group" "job" {
+  count             = var.create_job ? 1 : 0
+
   name              = "/aws-glue/jobs/${var.name}"
   retention_in_days = var.log_group_retention_in_days
   tags              = var.tags
 }
 
 resource "aws_cloudwatch_log_group" "sec_config" {
+  count             = var.create_job ? 1 : 0
+    
   name              = "/aws-glue/jobs/${var.short_name}-sec-config"
   retention_in_days = var.log_group_retention_in_days
   tags              = var.tags
 }
 
 resource "aws_cloudwatch_log_group" "sec_config_error" {
+  count             = var.create_job ? 1 : 0
+    
   name              = "/aws-glue/jobs/${var.short_name}-sec-config-role/${var.name}-glue-role/error"
   retention_in_days = var.log_group_retention_in_days
   tags              = var.tags
 }
 
 resource "aws_cloudwatch_log_group" "sec_config_output" {
+  count             = var.create_job ? 1 : 0
+  
   name              = "/aws-glue/jobs/${var.short_name}-sec-config-role/${var.name}-glue-role/output"
   retention_in_days = var.log_group_retention_in_days
   tags              = var.tags
@@ -214,12 +224,14 @@ resource "aws_cloudwatch_log_group" "sec_config_output" {
 
 
 resource "aws_cloudwatch_log_group" "continuous_log" {
+  count             = var.create_job ? 1 : 0
+    
   name              = "/aws-glue/jobs/${var.name}-${var.short_name}-sec-config"
   retention_in_days = var.log_group_retention_in_days
   tags              = var.tags
 }
 
-resource "aws_glue_security_configuration" "sec_cfg" {
+resource "aws_glue_security_configuration" "sec_cfg" {  
   count = var.create_security_configuration && var.create_job ? 1 : 0
   name  = "${var.short_name}-sec-config"
 
diff --git a/terraform/environments/digital-prison-reporting/modules/glue_job/variables.tf b/terraform/environments/digital-prison-reporting/modules/glue_job/variables.tf
index 4faacf563ba..a3b87ef02d5 100644
--- a/terraform/environments/digital-prison-reporting/modules/glue_job/variables.tf
+++ b/terraform/environments/digital-prison-reporting/modules/glue_job/variables.tf
@@ -156,7 +156,7 @@ variable "aws_kms_key" {
 
 variable "create_role" {
   type        = bool
-  default     = true
+  default     = false
   description = "(Optional) Create AWS IAM role associated with the job."
 }
 
diff --git a/terraform/environments/digital-prison-reporting/modules/step_function/main.tf b/terraform/environments/digital-prison-reporting/modules/step_function/main.tf
index 9894e0355bf..18462fafa4a 100644
--- a/terraform/environments/digital-prison-reporting/modules/step_function/main.tf
+++ b/terraform/environments/digital-prison-reporting/modules/step_function/main.tf
@@ -5,4 +5,6 @@ resource "aws_sfn_state_machine" "data_ingestion_step_function" {
   role_arn = aws_iam_role.step_function_role[0].arn
 
   definition = var.definition
+
+  tags = var.tags
 }
\ No newline at end of file
diff --git a/terraform/environments/digital-prison-reporting/modules/step_function/variables.tf b/terraform/environments/digital-prison-reporting/modules/step_function/variables.tf
index 27e010c5fbc..02fe0acfab6 100644
--- a/terraform/environments/digital-prison-reporting/modules/step_function/variables.tf
+++ b/terraform/environments/digital-prison-reporting/modules/step_function/variables.tf
@@ -33,4 +33,10 @@ variable "additional_policies" {
   description = "(Optional) The list of Policies used for this Step Function."
   type        = list(any)
   default     = []
+}
+
+variable "tags" {
+  type        = map(string)
+  default     = {}
+  description = "(Optional) Key-value map of resource tags."
 }
\ No newline at end of file
diff --git a/terraform/environments/digital-prison-reporting/policy.tf b/terraform/environments/digital-prison-reporting/policy.tf
index 57ca439dd9e..57ddf7bf4de 100644
--- a/terraform/environments/digital-prison-reporting/policy.tf
+++ b/terraform/environments/digital-prison-reporting/policy.tf
@@ -162,7 +162,8 @@ resource "aws_iam_policy" "dynamodb_access_policy" {
         "Action" : [
           "dynamodb:PutItem",
           "dynamodb:DescribeTable",
-          "dynamodb:GetItem"
+          "dynamodb:GetItem",
+          "dynamodb:DeleteItem"
         ],
         "Effect" : "Allow",
         "Resource" : [
diff --git a/terraform/environments/hmpps-domain-services/locals_development.tf b/terraform/environments/hmpps-domain-services/locals_development.tf
index c99d5dd81a4..4fb46a84788 100644
--- a/terraform/environments/hmpps-domain-services/locals_development.tf
+++ b/terraform/environments/hmpps-domain-services/locals_development.tf
@@ -15,7 +15,7 @@ locals {
           "hmppgw2.justice.gov.uk",
           "*.hmppgw2.justice.gov.uk",
         ]
-        external_validation_records_created = false
+        external_validation_records_created = true
         cloudwatch_metric_alarms            = module.baseline_presets.cloudwatch_metric_alarms.acm
         tags = {
           description = "wildcard cert for hmpps domain load balancer"
@@ -54,53 +54,25 @@ locals {
     }
 
     baseline_lbs = {
-      public = {
-        access_logs                      = true
-        enable_cross_zone_load_balancing = true
-        enable_delete_protection         = false
-        force_destroy_bucket             = true
-        internal_lb                      = false
-        load_balancer_type               = "application"
-        security_groups                  = ["public-lb"]
-        subnets = [
-          module.environment.subnet["public"]["eu-west-2a"].id,
-          module.environment.subnet["public"]["eu-west-2b"].id,
-        ]
-
+      public = merge(local.rds_lbs.public, {
         instance_target_groups = {
+          http1 = merge(local.rds_target_groups.http, {
+            attachments = [
+            ]
+          })
+          https1 = merge(local.rds_target_groups.https, {
+            attachments = [
+            ]
+          })
         }
-
         listeners = {
-          http = {
-            port     = 80
-            protocol = "HTTP"
-            default_action = {
-              type = "redirect"
-              redirect = {
-                port        = 443
-                protocol    = "HTTPS"
-                status_code = "HTTP_301"
-              }
-            }
-          }
-          https = {
-            port                      = 443
-            protocol                  = "HTTPS"
-            ssl_policy                = "ELBSecurityPolicy-TLS13-1-2-2021-06"
-            certificate_names_or_arns = ["application_environment_wildcard_cert"]
-            default_action = {
-              type = "fixed-response"
-              fixed_response = {
-                content_type = "text/plain"
-                message_body = "Not implemented"
-                status_code  = "501"
-              }
-            }
+          http = local.rds_lb_listeners.http
+          https = merge(local.rds_lb_listeners.https, {
             rules = {
             }
-          }
+          })
         }
-      }
+      })
     }
 
     baseline_route53_zones = {
diff --git a/terraform/environments/hmpps-domain-services/locals_preproduction.tf b/terraform/environments/hmpps-domain-services/locals_preproduction.tf
index 79ac78fbc85..ba6d0488c66 100644
--- a/terraform/environments/hmpps-domain-services/locals_preproduction.tf
+++ b/terraform/environments/hmpps-domain-services/locals_preproduction.tf
@@ -13,7 +13,7 @@ locals {
           "*.${module.environment.domains.public.application_environment}",
           "*.preproduction.hmpps-domain.service.justice.gov.uk",
         ]
-        external_validation_records_created = false
+        external_validation_records_created = true
         cloudwatch_metric_alarms            = module.baseline_presets.cloudwatch_metric_alarms.acm
         tags = {
           description = "wildcard cert for hmpps domain load balancer"
@@ -21,54 +21,75 @@ locals {
       }
     }
 
-    baseline_lbs = {
-      public = {
-        access_logs                      = true
-        enable_cross_zone_load_balancing = true
-        enable_delete_protection         = false
-        force_destroy_bucket             = true
-        internal_lb                      = false
-        load_balancer_type               = "application"
-        security_groups                  = ["public-lb"]
-        subnets = [
-          module.environment.subnet["public"]["eu-west-2a"].id,
-          module.environment.subnet["public"]["eu-west-2b"].id,
-        ]
+    baseline_ec2_instances = {
+      pp-rdgw-1-a = merge(local.rds_ec2_instance, {
+        config = merge(local.rds_ec2_instance.config, {
+          availability_zone = "eu-west-2a"
+        })
+        tags = merge(local.rds_ec2_instance.tags, {
+          description = "Remote Desktop Gateway for hmpp.noms.root domain"
+        })
+      })
+      pp-rds-1-a = merge(local.rds_ec2_instance, {
+        config = merge(local.rds_ec2_instance.config, {
+          availability_zone = "eu-west-2a"
+        })
+        tags = merge(local.rds_ec2_instance.tags, {
+          description = "Remote Desktop Services for hmpp.noms.root domain"
+        })
+      })
+    }
 
+    baseline_lbs = {
+      public = merge(local.rds_lbs.public, {
         instance_target_groups = {
+          pp-rdgw-1-http = merge(local.rds_target_groups.http, {
+            attachments = [
+              { ec2_instance_name = "pp-rdgw-1-a" },
+            ]
+          })
+          pp-rds-1-https = merge(local.rds_target_groups.https, {
+            attachments = [
+              { ec2_instance_name = "pp-rds-1-a" },
+            ]
+          })
         }
-
         listeners = {
-          http = {
-            port     = 80
-            protocol = "HTTP"
-            default_action = {
-              type = "redirect"
-              redirect = {
-                port        = 443
-                protocol    = "HTTPS"
-                status_code = "HTTP_301"
+          http = local.rds_lb_listeners.http
+          https = merge(local.rds_lb_listeners.https, {
+            rules = {
+              pp-rdgw-1-http = {
+                priority = 100
+                actions = [{
+                  type              = "forward"
+                  target_group_name = "pp-rdgw-1-http"
+                }]
+                conditions = [{
+                  host_header = {
+                    values = [
+                      "rdgateway1.preproduction.hmpps-domain.service.justice.gov.uk",
+                    ]
+                  }
+                }]
               }
-            }
-          }
-          https = {
-            port                      = 443
-            protocol                  = "HTTPS"
-            ssl_policy                = "ELBSecurityPolicy-TLS13-1-2-2021-06"
-            certificate_names_or_arns = ["application_environment_wildcard_cert"]
-            default_action = {
-              type = "fixed-response"
-              fixed_response = {
-                content_type = "text/plain"
-                message_body = "Not implemented"
-                status_code  = "501"
+              pp-rds-1-https = {
+                priority = 200
+                actions = [{
+                  type              = "forward"
+                  target_group_name = "pp-rds-1-https"
+                }]
+                conditions = [{
+                  host_header = {
+                    values = [
+                      "rdweb1.preproduction.hmpps-domain.service.justice.gov.uk",
+                    ]
+                  }
+                }]
               }
             }
-            rules = {
-            }
-          }
+          })
         }
-      }
+      })
     }
 
     baseline_route53_zones = {
diff --git a/terraform/environments/hmpps-domain-services/locals_production.tf b/terraform/environments/hmpps-domain-services/locals_production.tf
index 1deaf7eecdf..5857b60b568 100644
--- a/terraform/environments/hmpps-domain-services/locals_production.tf
+++ b/terraform/environments/hmpps-domain-services/locals_production.tf
@@ -15,7 +15,7 @@ locals {
           "hmpps-az-gw1.justice.gov.uk",
           "*.hmpps-az-gw1.justice.gov.uk",
         ]
-        external_validation_records_created = false
+        external_validation_records_created = true
         cloudwatch_metric_alarms            = module.baseline_presets.cloudwatch_metric_alarms.acm
         tags = {
           description = "wildcard cert for hmpps domain load balancer"
@@ -24,59 +24,31 @@ locals {
     }
 
     baseline_lbs = {
-      public = {
-        access_logs                      = true
-        enable_cross_zone_load_balancing = true
-        enable_delete_protection         = false
-        force_destroy_bucket             = true
-        internal_lb                      = false
-        load_balancer_type               = "application"
-        security_groups                  = ["public-lb"]
-        subnets = [
-          module.environment.subnet["public"]["eu-west-2a"].id,
-          module.environment.subnet["public"]["eu-west-2b"].id,
-        ]
-
+      public = merge(local.rds_lbs.public, {
         instance_target_groups = {
+          http1 = merge(local.rds_target_groups.http, {
+            attachments = [
+            ]
+          })
+          https1 = merge(local.rds_target_groups.https, {
+            attachments = [
+            ]
+          })
         }
-
         listeners = {
-          http = {
-            port     = 80
-            protocol = "HTTP"
-            default_action = {
-              type = "redirect"
-              redirect = {
-                port        = 443
-                protocol    = "HTTPS"
-                status_code = "HTTP_301"
-              }
-            }
-          }
-          https = {
-            port                      = 443
-            protocol                  = "HTTPS"
-            ssl_policy                = "ELBSecurityPolicy-TLS13-1-2-2021-06"
-            certificate_names_or_arns = ["application_environment_wildcard_cert"]
-            default_action = {
-              type = "fixed-response"
-              fixed_response = {
-                content_type = "text/plain"
-                message_body = "Not implemented"
-                status_code  = "501"
-              }
-            }
+          http = local.rds_lb_listeners.http
+          https = merge(local.rds_lb_listeners.https, {
             rules = {
             }
-          }
+          })
         }
-      }
+      })
     }
 
     baseline_route53_zones = {
       "hmpps-domain.service.justice.gov.uk" = {
         records = [
-          { name = "development", type = "NS", ttl = "86400", records = [] },
+          { name = "development", type = "NS", ttl = "86400", records = ["ns-1447.awsdns-52.org", "ns-1826.awsdns-36.co.uk", "ns-1022.awsdns-63.net", "ns-418.awsdns-52.com", ] },
           { name = "test", type = "NS", ttl = "86400", records = ["ns-134.awsdns-16.com", "ns-1426.awsdns-50.org", "ns-1934.awsdns-49.co.uk", "ns-927.awsdns-51.net", ] },
           { name = "preproduction", type = "NS", ttl = "86400", records = ["ns-1509.awsdns-60.org", "ns-1925.awsdns-48.co.uk", "ns-216.awsdns-27.com", "ns-753.awsdns-30.net", ] },
         ]
diff --git a/terraform/environments/hmpps-domain-services/locals_rds.tf b/terraform/environments/hmpps-domain-services/locals_rds.tf
new file mode 100644
index 00000000000..660820f6998
--- /dev/null
+++ b/terraform/environments/hmpps-domain-services/locals_rds.tf
@@ -0,0 +1,108 @@
+locals {
+
+  rds_ec2_instance = {
+    # ami has unwanted ephemeral device, don't copy all the ebs_volumess
+    config = merge(module.baseline_presets.ec2_instance.config.default, {
+      ami_name                      = "hmpps_windows_server_2022_release_2024-01-16T09-48-13.663Z"
+      availability_zone             = "eu-west-2a"
+      ebs_volumes_copy_all_from_ami = false
+      user_data_raw                 = base64encode(file("./templates/windows_server_2022-user-data.yaml"))
+    })
+    instance = merge(module.baseline_presets.ec2_instance.instance.default, {
+      vpc_security_group_ids = ["rds-ec2s"]
+    })
+    ebs_volumes = {
+      "/dev/sda1" = { type = "gp3", size = 100 }
+    }
+    tags = {
+      os-type   = "Windows"
+      component = "remotedesktop"
+    }
+  }
+
+  rds_lbs = {
+    public = {
+      access_logs                      = true
+      enable_cross_zone_load_balancing = true
+      enable_delete_protection         = false
+      force_destroy_bucket             = true
+      internal_lb                      = false
+      load_balancer_type               = "application"
+      security_groups                  = ["public-lb"]
+      subnets = [
+        module.environment.subnet["public"]["eu-west-2a"].id,
+        module.environment.subnet["public"]["eu-west-2b"].id,
+      ]
+    }
+  }
+
+  rds_lb_listeners = {
+    http = {
+      port     = 80
+      protocol = "HTTP"
+      default_action = {
+        type = "redirect"
+        redirect = {
+          port        = 443
+          protocol    = "HTTPS"
+          status_code = "HTTP_301"
+        }
+      }
+    }
+    https = {
+      port                      = 443
+      protocol                  = "HTTPS"
+      ssl_policy                = "ELBSecurityPolicy-TLS13-1-2-2021-06"
+      certificate_names_or_arns = ["remote_desktop_wildcard_cert"]
+      default_action = {
+        type = "fixed-response"
+        fixed_response = {
+          content_type = "text/plain"
+          message_body = "Not implemented"
+          status_code  = "501"
+        }
+      }
+    }
+  }
+
+  rds_target_groups = {
+    http = {
+      port     = 80
+      protocol = "HTTP"
+      health_check = {
+        enabled             = true
+        interval            = 10
+        healthy_threshold   = 3
+        matcher             = "200-399"
+        path                = "/"
+        port                = 80
+        timeout             = 5
+        unhealthy_threshold = 2
+      }
+      stickiness = {
+        enabled = true
+        type    = "lb_cookie"
+      }
+    }
+    https = {
+      port     = 443
+      protocol = "HTTPS"
+      health_check = {
+        enabled             = true
+        interval            = 10
+        healthy_threshold   = 3
+        matcher             = "200-399"
+        path                = "/"
+        port                = 443
+        protocol            = "HTTPS"
+        timeout             = 5
+        unhealthy_threshold = 2
+      }
+      stickiness = {
+        enabled = true
+        type    = "lb_cookie"
+      }
+    }
+  }
+
+}
diff --git a/terraform/environments/hmpps-domain-services/locals_test.tf b/terraform/environments/hmpps-domain-services/locals_test.tf
index 66a09a720e1..ca6de6c01ca 100644
--- a/terraform/environments/hmpps-domain-services/locals_test.tf
+++ b/terraform/environments/hmpps-domain-services/locals_test.tf
@@ -22,7 +22,7 @@ locals {
           "hmppgw1.justice.gov.uk",
           "*.hmppgw1.justice.gov.uk",
         ]
-        external_validation_records_created = false
+        external_validation_records_created = true
         cloudwatch_metric_alarms            = module.baseline_presets.cloudwatch_metric_alarms.acm
         tags = {
           description = "wildcard cert for hmpps domain load balancer"
@@ -37,52 +37,25 @@ locals {
     }
 
     baseline_lbs = {
-      public = {
-        access_logs                      = true
-        enable_cross_zone_load_balancing = true
-        enable_delete_protection         = false
-        force_destroy_bucket             = true
-        internal_lb                      = false
-        load_balancer_type               = "application"
-        security_groups                  = ["public-lb"]
-        subnets = [
-          module.environment.subnet["public"]["eu-west-2a"].id,
-          module.environment.subnet["public"]["eu-west-2b"].id,
-        ]
-
+      public = merge(local.rds_lbs.public, {
         instance_target_groups = {
+          http1 = merge(local.rds_target_groups.http, {
+            attachments = [
+            ]
+          })
+          https1 = merge(local.rds_target_groups.https, {
+            attachments = [
+            ]
+          })
         }
         listeners = {
-          http = {
-            port     = 80
-            protocol = "HTTP"
-            default_action = {
-              type = "redirect"
-              redirect = {
-                port        = 443
-                protocol    = "HTTPS"
-                status_code = "HTTP_301"
-              }
-            }
-          }
-          https = {
-            port                      = 443
-            protocol                  = "HTTPS"
-            ssl_policy                = "ELBSecurityPolicy-TLS13-1-2-2021-06"
-            certificate_names_or_arns = ["application_environment_wildcard_cert"]
-            default_action = {
-              type = "fixed-response"
-              fixed_response = {
-                content_type = "text/plain"
-                message_body = "Not implemented"
-                status_code  = "501"
-              }
-            }
+          http = local.rds_lb_listeners.http
+          https = merge(local.rds_lb_listeners.https, {
             rules = {
             }
-          }
+          })
         }
-      }
+      })
     }
 
     baseline_route53_zones = {
diff --git a/terraform/environments/hmpps-oem/locals.tf b/terraform/environments/hmpps-oem/locals.tf
index 36d52c70d6b..18777e19a58 100644
--- a/terraform/environments/hmpps-oem/locals.tf
+++ b/terraform/environments/hmpps-oem/locals.tf
@@ -17,9 +17,9 @@ locals {
     enable_image_builder                         = true
     enable_ec2_cloud_watch_agent                 = true
     enable_ec2_self_provision                    = true
-    enable_ec2_oracle_enterprise_manager         = true
     enable_ec2_reduced_ssm_policy                = true
     enable_ec2_user_keypair                      = true
+    enable_ec2_oracle_enterprise_managed_server  = true # the oem manager manages itself, so it needs all of these permissions too
     enable_shared_s3                             = true # adds permissions to ec2s to interact with devtest or prodpreprod buckets
     db_backup_s3                                 = true # adds db backup buckets
     cloudwatch_metric_alarms                     = {}
@@ -40,6 +40,56 @@ locals {
   baseline_ec2_autoscaling_groups        = {}
   baseline_ec2_instances                 = {}
   baseline_iam_policies = {
+    Ec2OracleEnterpriseManagerPolicy = {
+      description = "Permissions required for Oracle Enterprise Manager"
+      statements  = [
+        {
+          sid    = "S3ListLocation"
+          effect = "Allow"
+          actions = [
+            "s3:ListAllMyBuckets",
+            "s3:GetBucketLocation",
+          ]
+          resources = [
+            "arn:aws:s3:::*"
+          ]
+        },
+        {
+          sid    = "SecretsmanagerReadWriteOracleOem"
+          effect = "Allow"
+          actions = [
+            "secretsmanager:GetSecretValue",
+            "secretsmanager:PutSecretValue",
+          ]
+          resources = [
+            "arn:aws:secretsmanager:*:*:secret:/oracle/*",
+          ]
+        },
+        {
+          sid    = "SSMReadAccountIdsOracle"
+          effect = "Allow"
+          actions = [
+            "ssm:GetParameter",
+            "ssm:GetParameters",
+          ]
+          resources = [
+            "arn:aws:ssm:*:*:parameter/account_ids",
+            "arn:aws:ssm:*:*:parameter/oracle/*",
+          ]
+        },
+        {
+          sid    = "SSMWriteOracle"
+          effect = "Allow"
+          actions = [
+            "ssm:PutParameter",
+            "ssm:PutParameters",
+          ]
+          resources = [
+            "arn:aws:ssm:*:*:parameter/oracle/*",
+          ]
+        }
+      ]
+    }
     DBRefresherPolicy = {
       description = "Permissions for the db refresh process"
       statements = [
diff --git a/terraform/environments/hmpps-oem/locals_oem.tf b/terraform/environments/hmpps-oem/locals_oem.tf
index bbc48c6691f..cdf7055b795 100644
--- a/terraform/environments/hmpps-oem/locals_oem.tf
+++ b/terraform/environments/hmpps-oem/locals_oem.tf
@@ -63,6 +63,9 @@ locals {
     config = merge(module.baseline_presets.ec2_instance.config.db, {
       ami_name  = "hmpps_ol_8_5_oracledb_19c_release_2023-08-07T16-14-04.275Z"
       ami_owner = "self"
+      instance_profile_policies = concat(module.baseline_presets.ec2_instance.config.db.instance_profile_policies, [
+        "Ec2OracleEnterpriseManagerPolicy",
+      ])
     })
 
     instance = merge(module.baseline_presets.ec2_instance.instance.default_db, {
diff --git a/terraform/environments/maat/api-cw.tf b/terraform/environments/maat/api-cw.tf
index 1b80fac559a..0859e8640db 100644
--- a/terraform/environments/maat/api-cw.tf
+++ b/terraform/environments/maat/api-cw.tf
@@ -4,5 +4,239 @@
 resource "aws_cloudwatch_log_group" "maat_api_ecs_cw_group" {
   name              = "${local.application_name}-ECS"
   retention_in_days = 90
-  kms_key_id        = aws_kms_key.cloudwatch_logs_key.arn
+  kms_key_id = aws_kms_key.cloudwatch_logs_key.arn
+}
+# ECS cluster alerting
+resource "aws_cloudwatch_metric_alarm" "ecs_cpu_over_threshold" {
+  alarm_name          = "${local.application_name}-ECS-CPU-high-threshold-alarm1"
+  alarm_description   = "If the CPU exceeds the predefined threshold, this alarm will trigger. Please investigate."
+  namespace           = "AWS/ECS"
+  metric_name         = "CPUUtilization"
+  statistic           = "Average"
+  period              = 60
+  evaluation_periods  = 5
+  threshold           = var.ecs_cpu_alarm_threshold
+  treat_missing_data  = "breaching"
+  alarm_actions       = [aws_sns_topic.maat_api_alerting_topic.arn]
+  ok_actions          = [aws_sns_topic.maat_api_alerting_topic.arn]
+  unit                = "Percent"
+  dimensions = {
+    ClusterName = aws_ecs_cluster.app_ecs_cluster.name
+    ServiceName = aws_ecs_service.maat_api_ecs_service.name
+  }
+  comparison_operator = "GreaterThanThreshold"
+}
+
+resource "aws_cloudwatch_metric_alarm" "ecs_memory_over_threshold" {
+  alarm_name          = "${local.application_name}-ECS-Memory-high-threshold-alarm"
+  alarm_description   = "If the memory util exceeds the predefined threshold, this alarm will trigger. Please investigate."
+  namespace           = "AWS/ECS"
+  metric_name         = "MemoryUtilization"
+  statistic           = "Average"
+  period              = 60
+  evaluation_periods  = 5
+  threshold           = var.ecs_memory_alarm_threshold
+  treat_missing_data  = "breaching"
+  alarm_actions       = [aws_sns_topic.maat_api_alerting_topic.arn]
+  ok_actions          = [aws_sns_topic.maat_api_alerting_topic.arn]
+  unit                = "Percent"
+  dimensions = {
+    ClusterName = aws_ecs_cluster.app_ecs_cluster.name
+    ServiceName = aws_ecs_service.maat_api_ecs_service.name
+  }
+  comparison_operator = "GreaterThanThreshold"
+}
+
+# Application Load Balancer Alerting
+resource "aws_cloudwatch_metric_alarm" "target_response_time" {
+  alarm_name          = "${local.application_name}-alb-target-response-time-alarm"
+  alarm_description   = "The time elapsed, in seconds, after the request leaves the load balancer until a response from the target is received"
+  namespace           = "AWS/ApplicationELB"
+  metric_name         = "TargetResponseTime"
+  extended_statistic  = "p99"
+  period              = 60
+  evaluation_periods  = 5
+  threshold           = var.alb_target_response_time_threshold
+  treat_missing_data  = "notBreaching"
+  alarm_actions       = [aws_sns_topic.maat_api_alerting_topic.arn]
+  ok_actions          = [aws_sns_topic.maat_api_alerting_topic.arn]
+  dimensions = {
+    LoadBalancer = aws_lb.maat_api_ecs_lb.name
+  }
+  comparison_operator = "GreaterThanThreshold"
+}
+
+resource "aws_cloudwatch_metric_alarm" "target_response_time_maximum" {
+  alarm_name          = "${local.application_name}-alb-target-response-time-alarm-maximum"
+  alarm_description   = "The time elapsed, in seconds, after the request leaves the load balancer until a response from the target is received. Triggered if the response is longer than 60s."
+  namespace           = "AWS/ApplicationELB"
+  metric_name         = "TargetResponseTime"
+  statistic           = "Maximum"
+  period              = 60
+  evaluation_periods  = 1
+  threshold           = var.alb_target_response_time_threshold_maximum
+  treat_missing_data  = "notBreaching"
+  alarm_actions       = [aws_sns_topic.maat_api_alerting_topic.arn]
+  ok_actions          = [aws_sns_topic.maat_api_alerting_topic.arn]
+  dimensions = {
+    LoadBalancer = aws_lb.maat_api_ecs_lb.name
+  }
+  comparison_operator = "GreaterThanThreshold"
+}
+
+resource "aws_cloudwatch_metric_alarm" "unhealthy_hosts" {
+  alarm_name          = "${local.application_name}-unhealthy-hosts-alarm"
+  alarm_description   = "The unhealthy hosts alarm triggers if your load balancer recognizes there is an unhealthy host and has been there for over 15 minutes."
+  namespace           = "AWS/ApplicationELB"
+  metric_name         = "UnHealthyHostCount"
+  statistic           = "Average"
+  period              = 60
+  evaluation_periods  = 5
+  threshold           = var.alb_unhealthy_alarm_threshold
+  treat_missing_data  = "notBreaching"
+  alarm_actions       = [aws_sns_topic.maat_api_alerting_topic.arn]
+  ok_actions          = [aws_sns_topic.maat_api_alerting_topic.arn]
+  dimensions = {
+    LoadBalancer = aws_lb.maat_api_ecs_lb.name
+    TargetGroup  = aws_lb_target_group.maat_api_ecs_target_group.name
+  }
+  comparison_operator = "GreaterThanThreshold"
+}
+
+resource "aws_cloudwatch_metric_alarm" "rejected_connection_count" {
+  alarm_name          = "${local.application_name}-RejectedConnectionCount-alarm"
+  alarm_description   = "There is no surge queue on ALB's. Alert triggers in ALB rejects too many requests, usually due to the backend being busy."
+  namespace           = "AWS/ApplicationELB"
+  metric_name         = "RejectedConnectionCount"
+  statistic           = "Sum"
+  period              = 60
+  evaluation_periods  = 5
+  threshold           = var.alb_rejected_alarm_threshold
+  treat_missing_data  = "notBreaching"
+  alarm_actions       = [aws_sns_topic.maat_api_alerting_topic.arn]
+  ok_actions          = [aws_sns_topic.maat_api_alerting_topic.arn]
+  dimensions = {
+    LoadBalancer = aws_lb.maat_api_ecs_lb.name
+  }
+  comparison_operator = "GreaterThanThreshold"
+}
+
+resource "aws_cloudwatch_metric_alarm" "http_5xx_error" {
+  alarm_name          = "${local.application_name}-http-5xx-error-alarm"
+  alarm_description   = "This alarm will trigger if we receive 4 5XX http alerts in a 5-minute period."
+  namespace           = "AWS/ApplicationELB"
+  metric_name         = "HTTPCode_Target_5XX_Count"
+  statistic           = "Sum"
+  period              = 60
+  evaluation_periods  = 5
+  threshold           = var.alb_target_5xx_alarm_threshold
+  treat_missing_data  = "notBreaching"
+  alarm_actions       = [aws_sns_topic.maat_api_alerting_topic.arn]
+  ok_actions          = [aws_sns_topic.maat_api_alerting_topic.arn]
+  dimensions = {
+    LoadBalancer = aws_lb.maat_api_ecs_lb.name
+  }
+  comparison_operator = "GreaterThanThreshold"
+}
+
+resource "aws_cloudwatch_metric_alarm" "application_elb_5xx_error" {
+  alarm_name          = "${local.application_name}-elb-5xx-error-alarm"
+  alarm_description   = "This alarm will trigger if we receive 4 5XX elb alerts in a 5-minute period."
+  namespace           = "AWS/ApplicationELB"
+  metric_name         = "HTTPCode_ELB_5XX_Count"
+  statistic           = "Sum"
+  period              = 60
+  evaluation_periods  = 5
+  threshold           = var.alb_5xx_alarm_threshold
+  treat_missing_data  = "notBreaching"
+  alarm_actions       = [aws_sns_topic.maat_api_alerting_topic.arn]
+  ok_actions          = [aws_sns_topic.maat_api_alerting_topic.arn]
+  dimensions = {
+    LoadBalancer = aws_lb.maat_api_ecs_lb.name
+  }
+  comparison_operator = "GreaterThanThreshold"
+}
+
+resource "aws_cloudwatch_metric_alarm" "http4xxError" {
+  alarm_name          = "${local.application_name}-http-4xx-error-alarm"
+  alarm_description   = "This alarm will trigger if we receive 4 4XX http alerts in a 5-minute period."
+  namespace           = "AWS/ApplicationELB"
+  metric_name         = "HTTPCode_Target_4XX_Count"
+  statistic           = "Sum"
+  period              = 60
+  evaluation_periods  = 5
+  threshold           = var.alb_target_4xx_alarm_threshold
+  treat_missing_data  = "notBreaching"
+  alarm_actions       = [aws_sns_topic.maat_api_alerting_topic.arn]
+  ok_actions          = [aws_sns_topic.maat_api_alerting_topic.arn]
+  dimensions = {
+    LoadBalancer = aws_lb.maat_api_ecs_lb.name
+  }
+  comparison_operator = "GreaterThanThreshold"
+}
+
+resource "aws_cloudwatch_metric_alarm" "application_elb_4xx_error" {
+  alarm_name          = "${local.application_name}-elb-4xx-error-alarm"
+  alarm_description   = "This alarm will trigger if we receive 4 4XX elb alerts in a 5-minute period."
+  namespace           = "AWS/ApplicationELB"
+  metric_name         = "HTTPCode_ELB_4XX_Count"
+  statistic           = "Sum"
+  period              = 60
+  evaluation_periods  = 5
+  threshold           = var.alb_4xx_alarm_threshold
+  treat_missing_data  = "notBreaching"
+  alarm_actions       = [aws_sns_topic.maat_api_alerting_topic.arn]
+  ok_actions          = [aws_sns_topic.maat_api_alerting_topic.arn]
+  dimensions = {
+    LoadBalancer = aws_lb.maat_api_ecs_lb.name
+  }
+  comparison_operator = "GreaterThanThreshold"
+}
+
+# SNS topic for monitoring to send alarms to
+resource "aws_sns_topic" "maat_api_alerting_topic" {
+  name = "${local.application_name}-${local.environment}-alerting-topic"
+}
+
+resource "aws_sns_topic_subscription" "pagerduty_subscription" {
+  topic_arn = aws_sns_topic.maat_api_alerting_topic.arn
+  protocol  = "https"
+  endpoint  = "https://events.pagerduty.com/integration/${local.pagerduty_integration_keys[local.pagerduty_integration_key_name]}/enqueue"
+}
+
+# Pager duty integration
+
+# Get the map of pagerduty integration keys from the modernisation platform account
+data "aws_secretsmanager_secret" "pagerduty_integration_keys" {
+  provider = aws.modernisation-platform
+  name     = "pagerduty_integration_keys"
+}
+data "aws_secretsmanager_secret_version" "pagerduty_integration_keys" {
+  provider  = aws.modernisation-platform
+  secret_id = data.aws_secretsmanager_secret.pagerduty_integration_keys.id
+}
+
+# Add a local to get the keys
+locals {
+  pagerduty_integration_keys = jsondecode(data.aws_secretsmanager_secret_version.pagerduty_integration_keys.secret_string)
+  pagerduty_integration_key_name = local.application_data.accounts[local.environment].pagerduty_integration_key_name
+}
+
+# link the sns topic to the service
+module "pagerduty_core_alerts_non_prod" {
+  depends_on = [
+    aws_sns_topic.maat_api_alerting_topic
+  ]
+  source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
+  sns_topics                = [aws_sns_topic.maat_api_alerting_topic.name]
+  pagerduty_integration_key = local.pagerduty_integration_keys["laa_maat_api_nonprod_alarms"]
+}
+
+module "pagerduty_core_alerts_prod" {
+  depends_on = [
+    aws_sns_topic.maat_api_alerting_topic
+  ]
+  source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
+  sns_topics                = [aws_sns_topic.maat_api_alerting_topic.name]
+  pagerduty_integration_key = local.pagerduty_integration_keys["laa_maat_api_prod_alarms"]
 }
\ No newline at end of file
diff --git a/terraform/environments/maat/api-variables.tf b/terraform/environments/maat/api-variables.tf
new file mode 100644
index 00000000000..b3eab9e623d
--- /dev/null
+++ b/terraform/environments/maat/api-variables.tf
@@ -0,0 +1,40 @@
+variable "ecs_cpu_alarm_threshold" {
+  type = number
+  default = 75
+}
+variable "ecs_memory_alarm_threshold" {
+  type = number
+  default = 75
+}
+variable "alb_target_response_time_threshold" {
+  type = number
+  default = 10
+}
+variable "alb_target_response_time_threshold_maximum" {
+  type = number
+  default = 60
+}
+variable "alb_unhealthy_alarm_threshold" {
+  type = number
+  default = 0
+}
+variable "alb_rejected_alarm_threshold" {
+  type = number
+  default = 10
+}
+variable "alb_target_5xx_alarm_threshold" {
+  type = number
+  default = 10
+}
+variable "alb_5xx_alarm_threshold" {
+  type = number
+  default = 10
+}
+variable "alb_target_4xx_alarm_threshold" {
+  type = number
+  default = 10
+}
+variable "alb_4xx_alarm_threshold" {
+  type = number
+  default = 10
+}
\ No newline at end of file
diff --git a/terraform/environments/maat/application_variables.json b/terraform/environments/maat/application_variables.json
index 8c56201b6dc..1afb9b7e371 100644
--- a/terraform/environments/maat/application_variables.json
+++ b/terraform/environments/maat/application_variables.json
@@ -25,7 +25,8 @@
       "ecs_env_CloudwatchStep": "1m",
       "ecs_env_CloudwatchBatchSize": "10",
       "ecs_env_EnableCloudwatchMetrics": "true",
-      "ecs_env_TogDataUsername": "togdata"
+      "ecs_env_TogDataUsername": "togdata",
+      "pagerduty_integration_key_name": "laa_maat_api_nonprod_alarms"
     },
     "test": {
       "example_var": "test-data",
@@ -34,7 +35,8 @@
       "ecs_cpu": 1024,
       "ecs_memory": 2048,
       "ecs_container_cpu": 922,
-      "ecs_container_memory": 1792
+      "ecs_container_memory": 1792,
+      "pagerduty_integration_key_name": "laa_maat_api_nonprod_alarms"
     },
     "preproduction": {
       "example_var": "preproduction-data",
@@ -43,7 +45,8 @@
       "ecs_cpu": 1024,
       "ecs_memory": 3072,
       "ecs_container_cpu": 922,
-      "ecs_container_memory": 2816
+      "ecs_container_memory": 2816,
+      "pagerduty_integration_key_name": "laa_maat_api_nonprod_alarms"
     },
     "production": {
       "example_var": "production-data",
@@ -52,7 +55,8 @@
       "ecs_cpu": 1024,
       "ecs_memory": 3072,
       "ecs_container_cpu": 922,
-      "ecs_container_memory": 2816
+      "ecs_container_memory": 2816,
+      "pagerduty_integration_key_name": "laa_maat_api_prod_alarms"
     }
   }
 }
diff --git a/terraform/environments/oasys/locals.tf b/terraform/environments/oasys/locals.tf
index c738d8de726..390f700eb00 100644
--- a/terraform/environments/oasys/locals.tf
+++ b/terraform/environments/oasys/locals.tf
@@ -129,7 +129,6 @@ locals {
       availability_zone = "${local.region}a"
       instance_profile_policies = flatten([
         module.baseline_presets.ec2_instance.config.db.instance_profile_policies,
-        "Ec2OracleEnterpriseManagerPolicy"
       ])
     })
     instance = merge(module.baseline_presets.ec2_instance.instance.default_db, {
diff --git a/terraform/environments/oasys/locals_security_groups.tf b/terraform/environments/oasys/locals_security_groups.tf
index 0668c2b6ca6..2bbe10b56fd 100644
--- a/terraform/environments/oasys/locals_security_groups.tf
+++ b/terraform/environments/oasys/locals_security_groups.tf
@@ -244,7 +244,7 @@ locals {
           security_groups = [
             "private_lb",
             # "private-jumpserver",
-            # "private-web",
+            "private_web",
             # "bastion-linux",
           ]
         }
@@ -257,7 +257,7 @@ locals {
           security_groups = [
             "private_lb",
             "bip",
-            # "private-web",
+            "private_web",
             # "bastion-linux",
           ]
         }
diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf
index dfc37f8e823..a18274e63a4 100644
--- a/terraform/environments/oasys/locals_test.tf
+++ b/terraform/environments/oasys/locals_test.tf
@@ -630,6 +630,7 @@ locals {
       }
     }
 
+
     # The following zones can be found on azure:
     # az.justice.gov.uk
     # oasys.service.justice.gov.uk
diff --git a/terraform/modules/baseline_presets/iam_policies.tf b/terraform/modules/baseline_presets/iam_policies.tf
index 0ceca49e134..14df39b149a 100644
--- a/terraform/modules/baseline_presets/iam_policies.tf
+++ b/terraform/modules/baseline_presets/iam_policies.tf
@@ -8,7 +8,6 @@ locals {
     var.options.enable_shared_s3 ? ["Ec2AccessSharedS3Policy"] : [],
     var.options.enable_ec2_reduced_ssm_policy ? ["SSMManagedInstanceCoreReducedPolicy"] : [],
     var.options.enable_ec2_oracle_enterprise_managed_server ? ["OracleEnterpriseManagementSecretsPolicy", "Ec2OracleEnterpriseManagedServerPolicy"] : [],
-    var.options.enable_ec2_oracle_enterprise_manager ? ["OracleEnterpriseManagementSecretsPolicy", "Ec2OracleEnterpriseManagerPolicy"] : [],
     var.options.iam_policies_filter,
     "EC2Default",
     "EC2Db",
@@ -35,7 +34,6 @@ locals {
     var.options.enable_shared_s3 ? local.iam_policy_statements_ec2.S3ReadSharedWrite : [],
     var.options.enable_ec2_reduced_ssm_policy ? local.iam_policy_statements_ec2.SSMManagedInstanceCoreReduced : [],
     var.options.enable_ec2_oracle_enterprise_managed_server ? local.iam_policy_statements_ec2.OracleEnterpriseManagedServer : [],
-    var.options.enable_ec2_oracle_enterprise_manager ? local.iam_policy_statements_ec2.OracleEnterpriseManager : [],
     var.options.iam_policy_statements_ec2_default
   ])
 
@@ -116,11 +114,6 @@ locals {
       statements  = local.iam_policy_statements_ec2.OracleEnterpriseManagedServer
     }
 
-    Ec2OracleEnterpriseManagerPolicy = {
-      description = "Permissions required for Oracle Enterprise Manager"
-      statements  = local.iam_policy_statements_ec2.OracleEnterpriseManager
-    }
-
     SSMManagedInstanceCoreReducedPolicy = {
       description = "AmazonSSMManagedInstanceCore minus GetParameters"
       statements  = local.iam_policy_statements_ec2.SSMManagedInstanceCoreReduced
diff --git a/terraform/modules/baseline_presets/iam_policy_statements_ec2.tf b/terraform/modules/baseline_presets/iam_policy_statements_ec2.tf
index 2685c210366..f9162881851 100644
--- a/terraform/modules/baseline_presets/iam_policy_statements_ec2.tf
+++ b/terraform/modules/baseline_presets/iam_policy_statements_ec2.tf
@@ -240,54 +240,6 @@ locals {
       }
     ]
 
-    OracleEnterpriseManager = [
-      {
-        sid    = "S3ListLocation"
-        effect = "Allow"
-        actions = [
-          "s3:ListAllMyBuckets",
-          "s3:GetBucketLocation",
-        ]
-        resources = [
-          "arn:aws:s3:::*"
-        ]
-      },
-      {
-        sid    = "SecretsmanagerReadWriteOracle"
-        effect = "Allow"
-        actions = [
-          "secretsmanager:GetSecretValue",
-          "secretsmanager:PutSecretValue",
-        ]
-        resources = [
-          "arn:aws:secretsmanager:*:*:secret:/oracle/*",
-        ]
-      },
-      {
-        sid    = "SSMReadAccountIdsOracle"
-        effect = "Allow"
-        actions = [
-          "ssm:GetParameter",
-          "ssm:GetParameters",
-        ]
-        resources = [
-          "arn:aws:ssm:*:*:parameter/account_ids",
-          "arn:aws:ssm:*:*:parameter/oracle/*",
-        ]
-      },
-      {
-        sid    = "SSMWriteOracle"
-        effect = "Allow"
-        actions = [
-          "ssm:PutParameter",
-          "ssm:PutParameters",
-        ]
-        resources = [
-          "arn:aws:ssm:*:*:parameter/oracle/*",
-        ]
-      }
-    ]
-
     OracleLicenseTracking = [
       {
         sid    = "OracleLicenseTracking"
diff --git a/terraform/modules/baseline_presets/iam_roles.tf b/terraform/modules/baseline_presets/iam_roles.tf
index 891a0c8a19d..1e216196859 100644
--- a/terraform/modules/baseline_presets/iam_roles.tf
+++ b/terraform/modules/baseline_presets/iam_roles.tf
@@ -2,7 +2,7 @@ locals {
 
   iam_roles_filter = flatten([
     var.options.enable_image_builder ? ["EC2ImageBuilderDistributionCrossAccountRole"] : [],
-    var.options.enable_ec2_oracle_enterprise_managed_server || var.options.enable_ec2_oracle_enterprise_manager ? ["EC2OracleEnterpriseManagementSecretsRole"] : [],
+    var.options.enable_ec2_oracle_enterprise_managed_server ? ["EC2OracleEnterpriseManagementSecretsRole"] : [],
     var.options.enable_observability_platform_monitoring ? ["observability-platform"] : [],
   ])
 
diff --git a/terraform/modules/baseline_presets/ssm.tf b/terraform/modules/baseline_presets/ssm.tf
index 2c784b4b3ff..6b1108e37a8 100644
--- a/terraform/modules/baseline_presets/ssm.tf
+++ b/terraform/modules/baseline_presets/ssm.tf
@@ -5,7 +5,6 @@ locals {
   # the relevant account ids.
   account_names_for_account_ids_ssm_parameter = distinct(flatten([
     var.options.enable_ec2_oracle_enterprise_managed_server ? ["hmpps-oem-${var.environment.environment}"] : [],
-    var.options.enable_ec2_oracle_enterprise_manager ? ["hmpps-oem-${var.environment.environment}"] : [],
   ]))
 
   # add a cloud watch windows SSM param if the file is present
diff --git a/terraform/modules/baseline_presets/variables.tf b/terraform/modules/baseline_presets/variables.tf
index 547454da547..6cb92af33f8 100644
--- a/terraform/modules/baseline_presets/variables.tf
+++ b/terraform/modules/baseline_presets/variables.tf
@@ -25,7 +25,6 @@ variable "options" {
     enable_ec2_self_provision                    = optional(bool, false)
     enable_ec2_reduced_ssm_policy                = optional(bool, false)
     enable_ec2_oracle_enterprise_managed_server  = optional(bool, false)
-    enable_ec2_oracle_enterprise_manager         = optional(bool, false)
     enable_ec2_user_keypair                      = optional(bool, false)
     enable_shared_s3                             = optional(bool, false)
     enable_observability_platform_monitoring     = optional(bool, false)