diff --git a/.devcontainer/devcontainer-lock.json b/.devcontainer/devcontainer-lock.json
index f6e49e30fd5..f54d94e3e2a 100644
--- a/.devcontainer/devcontainer-lock.json
+++ b/.devcontainer/devcontainer-lock.json
@@ -16,9 +16,9 @@
       "integrity": "sha256:e81d52725655c8ffb861605feac7ad155b447d51af65f6c3a03cab32d59f1e16"
     },
     "ghcr.io/ministryofjustice/devcontainer-feature/terraform:1": {
-      "version": "1.0.0",
-      "resolved": "ghcr.io/ministryofjustice/devcontainer-feature/terraform@sha256:af3b3891cf31ff373df29998c690257d6f21f2ee4536bc4d692856408ef0c83a",
-      "integrity": "sha256:af3b3891cf31ff373df29998c690257d6f21f2ee4536bc4d692856408ef0c83a"
+      "version": "1.1.0",
+      "resolved": "ghcr.io/ministryofjustice/devcontainer-feature/terraform@sha256:34eb8c510a11fc44abb8173519215fcb6b82715b94e647c69089ee23773c6dc8",
+      "integrity": "sha256:34eb8c510a11fc44abb8173519215fcb6b82715b94e647c69089ee23773c6dc8"
     }
   }
-}
+}
\ No newline at end of file
diff --git a/.github/workflows/code-scanning.yml b/.github/workflows/code-scanning.yml
index 024ca87d3f7..fee7b7d5b8a 100644
--- a/.github/workflows/code-scanning.yml
+++ b/.github/workflows/code-scanning.yml
@@ -38,7 +38,7 @@ jobs:
         run: tflint --disable-rule=terraform_unused_declarations --format sarif > tflint.sarif
       - name: Upload SARIF file
         if: success() || failure()
-        uses: github/codeql-action/upload-sarif@eb055d739abdc2e8de2e5f4ba1a8b246daa779aa # v3.26.0
+        uses: github/codeql-action/upload-sarif@2c779ab0d087cd7fe7b826087247c2c81f27bfa6 # v3.26.5
         with:
           sarif_file: tflint.sarif
   trivy:
@@ -63,7 +63,7 @@ jobs:
 
       - name: Upload Trivy scan results to GitHub Security tab
         if: success() || failure()
-        uses: github/codeql-action/upload-sarif@eb055d739abdc2e8de2e5f4ba1a8b246daa779aa # v3.26.0
+        uses: github/codeql-action/upload-sarif@2c779ab0d087cd7fe7b826087247c2c81f27bfa6 # v3.26.5
         with:
           sarif_file: 'trivy-results.sarif'
   checkov:
@@ -81,7 +81,7 @@ jobs:
           fetch-depth: 0
       - name: Run Checkov action
         id: checkov
-        uses: bridgecrewio/checkov-action@5fa28e9c4db2c0920ade6ae453c0e91745c6378a # v12.2847.0
+        uses: bridgecrewio/checkov-action@4fa90328619ebe2a5396c7f16308c17a7a4b5dc3 # v12.2858.0
         with:
           directory: ./
           framework: terraform
@@ -90,6 +90,6 @@ jobs:
           skip_check: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
       - name: Upload SARIF file
         if: success() || failure()
-        uses: github/codeql-action/upload-sarif@eb055d739abdc2e8de2e5f4ba1a8b246daa779aa # v3.26.0
+        uses: github/codeql-action/upload-sarif@2c779ab0d087cd7fe7b826087247c2c81f27bfa6 # v3.26.5
         with:
           sarif_file: ./checkov.sarif
diff --git a/.github/workflows/format-code.yml b/.github/workflows/format-code.yml
index 6a3117470ab..1e7d811a5d5 100644
--- a/.github/workflows/format-code.yml
+++ b/.github/workflows/format-code.yml
@@ -40,7 +40,7 @@ jobs:
         id: ml
         # You can override MegaLinter flavor used to have faster performances
         # More info at https://megalinter.io/flavors/
-        uses: oxsecurity/megalinter/flavors/terraform@bacb5f8674e3730b904ca4d20c8bd477bc51b1a7 #v7.13.0
+        uses: oxsecurity/megalinter/flavors/terraform@c217fe8f7bc9207062a084e989bd97efd56e7b9a #v8.0.0
         env:
           # All available variables are described in documentation
           # https://megalinter.io/configuration/#shared-variables
diff --git a/.github/workflows/nuke-redeploy.yml b/.github/workflows/nuke-redeploy.yml
index 782eb2beac3..2542579d602 100644
--- a/.github/workflows/nuke-redeploy.yml
+++ b/.github/workflows/nuke-redeploy.yml
@@ -68,7 +68,7 @@ jobs:
           aws-region: ${{ env.AWS_REGION }}
 
       - name: Load and Configure Terraform
-        uses: hashicorp/setup-terraform@651471c36a6092792c552e8b1bef71e592b462d8 # v3.1.1
+        uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
         with:
           terraform_version: "~1"
           terraform_wrapper: false
diff --git a/.github/workflows/reusable_terraform_plan_apply.yml b/.github/workflows/reusable_terraform_plan_apply.yml
index bbfd7898955..68cd373d3be 100644
--- a/.github/workflows/reusable_terraform_plan_apply.yml
+++ b/.github/workflows/reusable_terraform_plan_apply.yml
@@ -112,7 +112,7 @@ jobs:
           aws-region: "eu-west-2"
 
       - name: Setup Terraform
-        uses: hashicorp/setup-terraform@651471c36a6092792c552e8b1bef71e592b462d8  # v3.1.1
+        uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd  # v3.1.2
         with:
           terraform_version: "${{ inputs.terraform_version }}"
           terraform_wrapper: false
@@ -294,7 +294,7 @@ jobs:
           aws-region: "eu-west-2"
 
       - name: Setup Terraform
-        uses: hashicorp/setup-terraform@651471c36a6092792c552e8b1bef71e592b462d8  # v3.1.1
+        uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd  # v3.1.2
         with:
           terraform_version: "${{ inputs.terraform_version }}"
           terraform_wrapper: false
diff --git a/.github/workflows/reusable_terraform_plan_apply_test.yml b/.github/workflows/reusable_terraform_plan_apply_test.yml
index 1dc880d7702..fa7c073fcf1 100644
--- a/.github/workflows/reusable_terraform_plan_apply_test.yml
+++ b/.github/workflows/reusable_terraform_plan_apply_test.yml
@@ -108,7 +108,7 @@ jobs:
           aws-region: "eu-west-2"
 
       - name: Setup Terraform
-        uses: hashicorp/setup-terraform@651471c36a6092792c552e8b1bef71e592b462d8 # v3.1.1
+        uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
         with:
           terraform_version: "${{ inputs.terraform_version }}"
           terraform_wrapper: false
@@ -257,7 +257,7 @@ jobs:
           aws-region: "eu-west-2"
 
       - name: Setup Terraform
-        uses: hashicorp/setup-terraform@651471c36a6092792c552e8b1bef71e592b462d8 # v3.1.1
+        uses: hashicorp/setup-terraform@b9cd54a3c349d3f38e8881555d616ced269862dd # v3.1.2
         with:
           terraform_version: "${{ inputs.terraform_version }}"
           terraform_wrapper: false
diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
index 4cd0c9c42fb..baf0aa46b86 100644
--- a/.github/workflows/scorecards.yml
+++ b/.github/workflows/scorecards.yml
@@ -67,6 +67,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@eb055d739abdc2e8de2e5f4ba1a8b246daa779aa # v3.26.0
+        uses: github/codeql-action/upload-sarif@2c779ab0d087cd7fe7b826087247c2c81f27bfa6 # v3.26.5
         with:
           sarif_file: results.sarif
diff --git a/terraform/environments/analytical-platform-compute/cloudwatch-log-groups.tf b/terraform/environments/analytical-platform-compute/cloudwatch-log-groups.tf
index 364cba99672..5da5d3bee32 100644
--- a/terraform/environments/analytical-platform-compute/cloudwatch-log-groups.tf
+++ b/terraform/environments/analytical-platform-compute/cloudwatch-log-groups.tf
@@ -3,7 +3,7 @@ module "eks_log_group" {
   #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
 
   source  = "terraform-aws-modules/cloudwatch/aws//modules/log-group"
-  version = "5.4.0"
+  version = "5.5.0"
 
   name              = local.eks_cloudwatch_log_group_name
   kms_key_id        = module.eks_cluster_logs_kms.key_arn
@@ -17,7 +17,7 @@ module "managed_prometheus_log_group" {
   #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
 
   source  = "terraform-aws-modules/cloudwatch/aws//modules/log-group"
-  version = "5.3.1"
+  version = "5.5.0"
 
   name              = local.amp_cloudwatch_log_group_name
   kms_key_id        = module.managed_prometheus_logs_kms.key_arn
diff --git a/terraform/environments/analytical-platform-compute/eks-cluster.tf b/terraform/environments/analytical-platform-compute/eks-cluster.tf
index 55d2b41dbdd..a24874a93da 100644
--- a/terraform/environments/analytical-platform-compute/eks-cluster.tf
+++ b/terraform/environments/analytical-platform-compute/eks-cluster.tf
@@ -6,7 +6,7 @@ module "eks" {
   #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
 
   source  = "terraform-aws-modules/eks/aws"
-  version = "20.20.0"
+  version = "20.24.0"
 
   cluster_name    = local.eks_cluster_name
   cluster_version = local.environment_configuration.eks_cluster_version
@@ -172,7 +172,7 @@ module "karpenter" {
   #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
 
   source  = "terraform-aws-modules/eks/aws//modules/karpenter"
-  version = "20.20.0"
+  version = "20.24.0"
 
   cluster_name = module.eks.cluster_name
 
@@ -190,6 +190,7 @@ module "karpenter" {
   iam_role_policies = {
     KarpenterSQSKMSAccess = module.karpenter_sqs_kms_access_iam_policy.arn
   }
+  enable_v1_permissions = true
 
   node_iam_role_name = "karpenter"
   node_iam_role_additional_policies = {
diff --git a/terraform/environments/analytical-platform-compute/eks-pod-identities.tf b/terraform/environments/analytical-platform-compute/eks-pod-identities.tf
index 20163447967..aa1c1dc54a5 100644
--- a/terraform/environments/analytical-platform-compute/eks-pod-identities.tf
+++ b/terraform/environments/analytical-platform-compute/eks-pod-identities.tf
@@ -7,7 +7,7 @@ module "aws_cloudwatch_metrics_pod_identity" {
   #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
 
   source  = "terraform-aws-modules/eks-pod-identity/aws"
-  version = "1.3.0"
+  version = "1.4.0"
 
   name = "aws-cloudwatch-metrics"
 
diff --git a/terraform/environments/analytical-platform-compute/environment-configuration.tf b/terraform/environments/analytical-platform-compute/environment-configuration.tf
index 3b07c4b2bf3..815f88439be 100644
--- a/terraform/environments/analytical-platform-compute/environment-configuration.tf
+++ b/terraform/environments/analytical-platform-compute/environment-configuration.tf
@@ -17,7 +17,7 @@ locals {
   eks_cloudwatch_log_group_retention_in_days = 400
 
   /* Kube Prometheus Stack */
-  prometheus_operator_crd_version = "v0.75.1"
+  prometheus_operator_crd_version = "v0.76.0"
 
   /* Environment Configuration */
   environment_configuration = local.environment_configurations[local.environment]
@@ -47,15 +47,15 @@ locals {
       /* EKS */
       eks_sso_access_role = "modernisation-platform-sandbox"
       eks_cluster_version = "1.30"
-      eks_node_version    = "1.20.4-b6163b2a"
+      eks_node_version    = "1.21.0-4d43022e"
       eks_cluster_addon_versions = {
-        coredns                = "v1.11.1-eksbuild.9"
-        kube_proxy             = "v1.30.0-eksbuild.3"
-        aws_ebs_csi_driver     = "v1.32.0-eksbuild.1"
-        aws_efs_csi_driver     = "v2.0.5-eksbuild.1"
+        coredns                = "v1.11.1-eksbuild.11"
+        kube_proxy             = "v1.30.3-eksbuild.2"
+        aws_ebs_csi_driver     = "v1.33.0-eksbuild.1"
+        aws_efs_csi_driver     = "v2.0.6-eksbuild.2"
         aws_guardduty_agent    = "v1.6.1-eksbuild.1"
         eks_pod_identity_agent = "v1.3.0-eksbuild.1"
-        vpc_cni                = "v1.18.2-eksbuild.1"
+        vpc_cni                = "v1.18.3-eksbuild.2"
       }
 
       /* Data Engineering Airflow */
@@ -98,15 +98,15 @@ locals {
       /* EKS */
       eks_sso_access_role = "modernisation-platform-developer"
       eks_cluster_version = "1.30"
-      eks_node_version    = "1.20.4-b6163b2a"
+      eks_node_version    = "1.21.0-4d43022e"
       eks_cluster_addon_versions = {
-        coredns                = "v1.11.1-eksbuild.9"
-        kube_proxy             = "v1.30.0-eksbuild.3"
-        aws_ebs_csi_driver     = "v1.32.0-eksbuild.1"
-        aws_efs_csi_driver     = "v2.0.5-eksbuild.1"
+        coredns                = "v1.11.1-eksbuild.11"
+        kube_proxy             = "v1.30.3-eksbuild.2"
+        aws_ebs_csi_driver     = "v1.33.0-eksbuild.1"
+        aws_efs_csi_driver     = "v2.0.6-eksbuild.2"
         aws_guardduty_agent    = "v1.6.1-eksbuild.1"
         eks_pod_identity_agent = "v1.3.0-eksbuild.1"
-        vpc_cni                = "v1.18.2-eksbuild.1"
+        vpc_cni                = "v1.18.3-eksbuild.2"
       }
 
       /* Observability Platform */
@@ -148,15 +148,15 @@ locals {
       /* EKS */
       eks_sso_access_role = "modernisation-platform-developer"
       eks_cluster_version = "1.30"
-      eks_node_version    = "1.20.4-b6163b2a"
+      eks_node_version    = "1.21.0-4d43022e"
       eks_cluster_addon_versions = {
-        coredns                = "v1.11.1-eksbuild.9"
-        kube_proxy             = "v1.30.0-eksbuild.3"
-        aws_ebs_csi_driver     = "v1.32.0-eksbuild.1"
-        aws_efs_csi_driver     = "v2.0.5-eksbuild.1"
+        coredns                = "v1.11.1-eksbuild.11"
+        kube_proxy             = "v1.30.3-eksbuild.2"
+        aws_ebs_csi_driver     = "v1.33.0-eksbuild.1"
+        aws_efs_csi_driver     = "v2.0.6-eksbuild.2"
         aws_guardduty_agent    = "v1.6.1-eksbuild.1"
         eks_pod_identity_agent = "v1.3.0-eksbuild.1"
-        vpc_cni                = "v1.18.2-eksbuild.1"
+        vpc_cni                = "v1.18.3-eksbuild.2"
       }
 
       /* Data Engineering Airflow */
diff --git a/terraform/environments/analytical-platform-compute/helm-charts-actions-runners.tf b/terraform/environments/analytical-platform-compute/helm-charts-actions-runners.tf
index 84ac91391db..9de02f29616 100644
--- a/terraform/environments/analytical-platform-compute/helm-charts-actions-runners.tf
+++ b/terraform/environments/analytical-platform-compute/helm-charts-actions-runners.tf
@@ -12,7 +12,7 @@ resource "helm_release" "actions_runner_mojas_create_a_derived_table" {
   /* https://github.com/ministryofjustice/analytical-platform-actions-runner */
   name       = "actions-runner-mojas-create-a-derived-table"
   repository = "oci://ghcr.io/ministryofjustice/analytical-platform-charts"
-  version    = "2.318.0"
+  version    = "2.319.1"
   chart      = "actions-runner"
   namespace  = kubernetes_namespace.actions_runners[0].metadata[0].name
   values = [
@@ -35,7 +35,7 @@ resource "helm_release" "actions_runner_mojas_create_a_derived_table_dpr" {
   /* https://github.com/ministryofjustice/analytical-platform-actions-runner */
   name       = "actions-runner-mojas-create-a-derived-table-dpr"
   repository = "oci://ghcr.io/ministryofjustice/analytical-platform-charts"
-  version    = "2.318.0"
+  version    = "2.319.1"
   chart      = "actions-runner"
   namespace  = kubernetes_namespace.actions_runners[0].metadata[0].name
   values = [
@@ -66,7 +66,7 @@ resource "helm_release" "actions_runner_mojas_airflow" {
   /* https://github.com/ministryofjustice/analytical-platform-actions-runner */
   name       = "actions-runner-mojas-airflow"
   repository = "oci://ghcr.io/ministryofjustice/analytical-platform-charts"
-  version    = "2.318.0"
+  version    = "2.319.1"
   chart      = "actions-runner"
   namespace  = kubernetes_namespace.actions_runners[0].metadata[0].name
   values = [
@@ -97,7 +97,7 @@ resource "helm_release" "actions_runner_mojas_airflow_create_a_pipeline" {
   /* https://github.com/ministryofjustice/analytical-platform-actions-runner */
   name       = "actions-runner-mojas-airflow-create-a-pipeline"
   repository = "oci://ghcr.io/ministryofjustice/analytical-platform-charts"
-  version    = "2.318.0"
+  version    = "2.319.1"
   chart      = "actions-runner"
   namespace  = kubernetes_namespace.actions_runners[0].metadata[0].name
   values = [
diff --git a/terraform/environments/analytical-platform-compute/helm-charts-applications.tf b/terraform/environments/analytical-platform-compute/helm-charts-applications.tf
index d8b112c9dc0..476930d95f3 100644
--- a/terraform/environments/analytical-platform-compute/helm-charts-applications.tf
+++ b/terraform/environments/analytical-platform-compute/helm-charts-applications.tf
@@ -2,7 +2,7 @@ resource "helm_release" "ui" {
   /* https://github.com/ministryofjustice/analytical-platform-ui */
   name       = "ui"
   repository = "oci://ghcr.io/ministryofjustice/analytical-platform-charts"
-  version    = "0.0.0-rc1"
+  version    = "0.1.6"
   chart      = "analytical-platform-ui"
   namespace  = kubernetes_namespace.ui.metadata[0].name
   values = [
diff --git a/terraform/environments/analytical-platform-compute/helm-charts-mlops.tf b/terraform/environments/analytical-platform-compute/helm-charts-mlops.tf
index a8912e8104d..b252916883f 100644
--- a/terraform/environments/analytical-platform-compute/helm-charts-mlops.tf
+++ b/terraform/environments/analytical-platform-compute/helm-charts-mlops.tf
@@ -2,7 +2,7 @@ resource "helm_release" "mlflow" {
   /* https://github.com/ministryofjustice/analytical-platform-mlflow */
   name       = "mlflow"
   repository = "oci://ghcr.io/ministryofjustice/analytical-platform-charts"
-  version    = "2.15.1-rc1"
+  version    = "2.15.1-rc2"
   chart      = "mlflow"
   namespace  = kubernetes_namespace.mlflow.metadata[0].name
   values = [
diff --git a/terraform/environments/analytical-platform-compute/helm-charts-system.tf b/terraform/environments/analytical-platform-compute/helm-charts-system.tf
index 837598619d9..37988005610 100644
--- a/terraform/environments/analytical-platform-compute/helm-charts-system.tf
+++ b/terraform/environments/analytical-platform-compute/helm-charts-system.tf
@@ -64,11 +64,14 @@ resource "helm_release" "aws_for_fluent_bit" {
 
 resource "helm_release" "amazon_prometheus_proxy" {
   /* https://artifacthub.io/packages/helm/prometheus-community/kube-prometheus-stack */
-  /* If you are upgrading this chart, check whether the CRD version needs updating */
+  /* 
+    If you are upgrading this chart, check whether the CRD version needs updating
+    https://github.com/prometheus-operator/prometheus-operator/releases
+  */
   name       = "amazon-prometheus-proxy"
   repository = "https://prometheus-community.github.io/helm-charts"
   chart      = "kube-prometheus-stack"
-  version    = "61.3.2"
+  version    = "61.9.0"
   namespace  = kubernetes_namespace.aws_observability.metadata[0].name
   values = [
     templatefile(
@@ -111,12 +114,34 @@ resource "helm_release" "cluster_autoscaler" {
 }
 
 /* Karpenter */
+resource "helm_release" "karpenter_crd" {
+  /* https://github.com/aws/karpenter-provider-aws/releases */
+  name       = "karpenter-crd"
+  repository = "oci://public.ecr.aws/karpenter"
+  chart      = "karpenter-crd"
+  version    = "1.0.0"
+  namespace  = kubernetes_namespace.karpenter.metadata[0].name
+
+  values = [
+    templatefile(
+      "${path.module}/src/helm/values/karpenter-crd/values.yml.tftpl",
+      {
+        service_namespace = kubernetes_namespace.karpenter.metadata[0].name
+      }
+    )
+  ]
+  depends_on = [
+    aws_iam_service_linked_role.spot,
+    module.karpenter
+  ]
+}
+
 resource "helm_release" "karpenter" {
   /* https://github.com/aws/karpenter-provider-aws/releases */
   name       = "karpenter"
   repository = "oci://public.ecr.aws/karpenter"
   chart      = "karpenter"
-  version    = "0.37.0"
+  version    = "1.0.0"
   namespace  = kubernetes_namespace.karpenter.metadata[0].name
 
   values = [
@@ -132,7 +157,8 @@ resource "helm_release" "karpenter" {
   ]
   depends_on = [
     aws_iam_service_linked_role.spot,
-    module.karpenter
+    module.karpenter,
+    helm_release.karpenter_crd
   ]
 }
 
@@ -183,7 +209,7 @@ resource "helm_release" "cert_manager" {
   name       = "cert-manager"
   repository = "https://charts.jetstack.io"
   chart      = "cert-manager"
-  version    = "v1.15.1"
+  version    = "v1.15.3"
   namespace  = kubernetes_namespace.cert_manager.metadata[0].name
   values = [
     templatefile(
@@ -236,7 +262,7 @@ resource "helm_release" "ingress_nginx" {
   name       = "ingress-nginx"
   repository = "https://kubernetes.github.io/ingress-nginx"
   chart      = "ingress-nginx"
-  version    = "4.11.1"
+  version    = "4.11.2"
   namespace  = kubernetes_namespace.ingress_nginx.metadata[0].name
   values = [
     templatefile(
@@ -257,7 +283,7 @@ resource "helm_release" "external_secrets" {
   name       = "external-secrets"
   repository = "https://charts.external-secrets.io"
   chart      = "external-secrets"
-  version    = "0.9.20"
+  version    = "0.10.0"
   namespace  = kubernetes_namespace.external_secrets.metadata[0].name
   values = [
     templatefile(
@@ -284,7 +310,7 @@ resource "helm_release" "keda" {
   name       = "keda"
   repository = "https://kedacore.github.io/charts"
   chart      = "keda"
-  version    = "2.14.2"
+  version    = "2.15.1"
   namespace  = kubernetes_namespace.keda.metadata[0].name
   values = [
     templatefile(
diff --git a/terraform/environments/analytical-platform-compute/iam-policies.tf b/terraform/environments/analytical-platform-compute/iam-policies.tf
index 0715e51da82..21004eddf9b 100644
--- a/terraform/environments/analytical-platform-compute/iam-policies.tf
+++ b/terraform/environments/analytical-platform-compute/iam-policies.tf
@@ -18,7 +18,7 @@ module "eks_cluster_logs_kms_access_iam_policy" {
   #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
 
   source  = "terraform-aws-modules/iam/aws//modules/iam-policy"
-  version = "5.41.0"
+  version = "5.44.0"
 
   name_prefix = "eks-cluster-logs-kms-access"
 
@@ -45,7 +45,7 @@ module "karpenter_sqs_kms_access_iam_policy" {
   #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
 
   source  = "terraform-aws-modules/iam/aws//modules/iam-policy"
-  version = "5.41.0"
+  version = "5.44.0"
 
   name_prefix = "karpenter-sqs-kms-access"
 
@@ -71,7 +71,7 @@ module "amazon_prometheus_proxy_iam_policy" {
   #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
 
   source  = "terraform-aws-modules/iam/aws//modules/iam-policy"
-  version = "5.41.0"
+  version = "5.44.0"
 
   name_prefix = "amazon-prometheus-proxy"
 
@@ -98,7 +98,7 @@ module "managed_prometheus_kms_access_iam_policy" {
   #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
 
   source  = "terraform-aws-modules/iam/aws//modules/iam-policy"
-  version = "5.41.0"
+  version = "5.44.0"
 
   name_prefix = "managed-prometheus-kms-access"
 
@@ -147,7 +147,7 @@ module "mlflow_iam_policy" {
   #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
 
   source  = "terraform-aws-modules/iam/aws//modules/iam-policy"
-  version = "5.41.0"
+  version = "5.44.0"
 
   name_prefix = "mlflow"
 
@@ -168,7 +168,7 @@ module "gha_mojas_airflow_iam_policy" {
   #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
 
   source  = "terraform-aws-modules/iam/aws//modules/iam-policy"
-  version = "5.41.0"
+  version = "5.44.0"
 
   name_prefix = "github-actions-mojas-airflow"
 
@@ -274,7 +274,7 @@ module "analytical_platform_lake_formation_share_policy" {
   #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
 
   source  = "terraform-aws-modules/iam/aws//modules/iam-policy"
-  version = "5.41.0"
+  version = "5.44.0"
 
   name_prefix = "analytical-platform-lake-formation-sharing-policy"
 
diff --git a/terraform/environments/analytical-platform-compute/iam-roles.tf b/terraform/environments/analytical-platform-compute/iam-roles.tf
index 2dea42ab783..11ea0c06b97 100644
--- a/terraform/environments/analytical-platform-compute/iam-roles.tf
+++ b/terraform/environments/analytical-platform-compute/iam-roles.tf
@@ -3,7 +3,7 @@ module "vpc_cni_iam_role" {
   #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
 
   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  version = "5.41.0"
+  version = "5.44.0"
 
   role_name_prefix      = "vpc-cni"
   attach_vpc_cni_policy = true
@@ -24,7 +24,7 @@ module "ebs_csi_driver_iam_role" {
   #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
 
   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  version = "5.41.0"
+  version = "5.44.0"
 
   role_name_prefix      = "ebs-csi-driver"
   attach_ebs_csi_policy = true
@@ -44,7 +44,7 @@ module "efs_csi_driver_iam_role" {
   #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
 
   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  version = "5.41.0"
+  version = "5.44.0"
 
   role_name_prefix      = "efs-csi-driver"
   attach_efs_csi_policy = true
@@ -64,7 +64,7 @@ module "aws_for_fluent_bit_iam_role" {
   #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
 
   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  version = "5.41.0"
+  version = "5.44.0"
 
   role_name_prefix = "aws-for-fluent-bit"
 
@@ -88,7 +88,7 @@ module "amazon_prometheus_proxy_iam_role" {
   #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
 
   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  version = "5.41.0"
+  version = "5.44.0"
 
   role_name_prefix = "amazon-prometheus-proxy"
 
@@ -111,7 +111,7 @@ module "cluster_autoscaler_iam_role" {
   #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
 
   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  version = "5.41.0"
+  version = "5.44.0"
 
   role_name_prefix = "cluster-autoscaler"
 
@@ -133,7 +133,7 @@ module "external_dns_iam_role" {
   #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
 
   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  version = "5.41.0"
+  version = "5.44.0"
 
   role_name_prefix              = "external-dns"
   attach_external_dns_policy    = true
@@ -154,7 +154,7 @@ module "cert_manager_iam_role" {
   #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
 
   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  version = "5.41.0"
+  version = "5.44.0"
 
   role_name_prefix              = "cert-manager"
   attach_cert_manager_policy    = true
@@ -175,7 +175,7 @@ module "external_secrets_iam_role" {
   #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
 
   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  version = "5.41.0"
+  version = "5.44.0"
 
   role_name_prefix               = "external-secrets"
   attach_external_secrets_policy = true
@@ -196,7 +196,7 @@ module "mlflow_iam_role" {
   #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
 
   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  version = "5.41.0"
+  version = "5.44.0"
 
   role_name_prefix = "mlflow"
 
@@ -219,7 +219,7 @@ module "gha_mojas_airflow_iam_role" {
   #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
 
   source  = "terraform-aws-modules/iam/aws//modules/iam-github-oidc-role"
-  version = "5.41.0"
+  version = "5.44.0"
 
   name = "github-actions-mojas-airflow"
 
@@ -237,7 +237,7 @@ module "lake_formation_share_role" {
   #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
 
   source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-role"
-  version = "5.41.0"
+  version = "5.44.0"
 
   create_role       = true
   role_requires_mfa = false
@@ -265,7 +265,7 @@ module "analytical_platform_ui_service_role" {
   #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
 
   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
-  version = "5.41.0"
+  version = "5.44.0"
 
   create_role = true
 
diff --git a/terraform/environments/analytical-platform-compute/lakeformation-data-lake-settings.tf b/terraform/environments/analytical-platform-compute/lakeformation-data-lake-settings.tf
index 7f7c1f82538..2302db582e3 100644
--- a/terraform/environments/analytical-platform-compute/lakeformation-data-lake-settings.tf
+++ b/terraform/environments/analytical-platform-compute/lakeformation-data-lake-settings.tf
@@ -1,3 +1,7 @@
 resource "aws_lakeformation_data_lake_settings" "main" {
-  admins = [data.aws_iam_session_context.current.issuer_arn, module.lake_formation_share_role.iam_role_arn]
+  admins = [
+    data.aws_iam_session_context.current.issuer_arn,
+    module.lake_formation_share_role.iam_role_arn,
+    module.analytical_platform_ui_service_role.iam_role_arn
+  ]
 }
diff --git a/terraform/environments/analytical-platform-compute/route53-zones.tf b/terraform/environments/analytical-platform-compute/route53-zones.tf
index 668595ee065..6be83bcb4bf 100644
--- a/terraform/environments/analytical-platform-compute/route53-zones.tf
+++ b/terraform/environments/analytical-platform-compute/route53-zones.tf
@@ -3,7 +3,7 @@ module "route53_zones" {
   #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
 
   source  = "terraform-aws-modules/route53/aws//modules/zones"
-  version = "3.1.0"
+  version = "4.0.0"
 
   zones = {
     # tflint-ignore: terraform_deprecated_interpolation
diff --git a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/Chart.yaml b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/Chart.yaml
index 4e7094a093d..d9b842b08b3 100644
--- a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/Chart.yaml
+++ b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/Chart.yaml
@@ -3,4 +3,4 @@ apiVersion: v2
 name: karpenter-configuration
 description: A Helm chart to deploy Karpenter's configuration
 type: application
-version: 1.4.0
+version: 1.7.0
\ No newline at end of file
diff --git a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-gpu-on-demand.yaml b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-gpu-on-demand.yaml
index c3ba54eabd4..98cd1594723 100644
--- a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-gpu-on-demand.yaml
+++ b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-gpu-on-demand.yaml
@@ -30,6 +30,6 @@ spec:
         - key: karpenter.sh/capacity-type
           operator: In
           values: ["on-demand"]
-        - key: node.kubernetes.io/instance-type
+        - key: karpenter.k8s.aws/instance-family
           operator: In
-          values: ["p3.2xlarge","p3.8xlarge"]
+          values: ["g5", "g6"]
diff --git a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-gpu-spot.yaml b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-gpu-spot.yaml
index 5db7c301959..fcefdfeb057 100644
--- a/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-gpu-spot.yaml
+++ b/terraform/environments/analytical-platform-compute/src/helm/charts/karpenter-configuration/templates/node-pool-gpu-spot.yaml
@@ -30,6 +30,6 @@ spec:
         - key: karpenter.sh/capacity-type
           operator: In
           values: ["spot"]
-        - key: node.kubernetes.io/instance-type
+        - key: karpenter.k8s.aws/instance-family
           operator: In
-          values: ["p3.2xlarge","p3.8xlarge"]
+          values: ["g5", "g6"]
diff --git a/terraform/environments/analytical-platform-compute/src/helm/values/karpenter-crd/values.yml.tftpl b/terraform/environments/analytical-platform-compute/src/helm/values/karpenter-crd/values.yml.tftpl
new file mode 100644
index 00000000000..dc45a9c45ba
--- /dev/null
+++ b/terraform/environments/analytical-platform-compute/src/helm/values/karpenter-crd/values.yml.tftpl
@@ -0,0 +1,3 @@
+---
+webhook:
+  serviceNamespace: ${service_namespace}
diff --git a/terraform/environments/analytical-platform-compute/vpc-endpoints.tf b/terraform/environments/analytical-platform-compute/vpc-endpoints.tf
index 02f86b0d759..75b40822f0b 100644
--- a/terraform/environments/analytical-platform-compute/vpc-endpoints.tf
+++ b/terraform/environments/analytical-platform-compute/vpc-endpoints.tf
@@ -3,7 +3,7 @@ module "vpc_endpoints" {
   #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
 
   source  = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints"
-  version = "5.9.0"
+  version = "5.13.0"
 
   vpc_id             = module.vpc.vpc_id
   subnet_ids         = module.vpc.private_subnets
diff --git a/terraform/environments/analytical-platform-compute/vpc.tf b/terraform/environments/analytical-platform-compute/vpc.tf
index cc0167e99d6..e82606e1482 100644
--- a/terraform/environments/analytical-platform-compute/vpc.tf
+++ b/terraform/environments/analytical-platform-compute/vpc.tf
@@ -6,7 +6,7 @@ module "vpc" {
   #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
 
   source  = "terraform-aws-modules/vpc/aws"
-  version = "5.9.0"
+  version = "5.13.0"
 
   name                = local.our_vpc_name
   azs                 = slice(data.aws_availability_zones.available.names, 0, 3)
diff --git a/terraform/environments/analytical-platform-ingestion/environment-configuration.tf b/terraform/environments/analytical-platform-ingestion/environment-configuration.tf
index 8dca75f2a2d..bcb4bfea848 100644
--- a/terraform/environments/analytical-platform-ingestion/environment-configuration.tf
+++ b/terraform/environments/analytical-platform-ingestion/environment-configuration.tf
@@ -13,9 +13,9 @@ locals {
       observability_platform = "development"
 
       /* Image Versions */
-      scan_image_version     = "0.0.7"
-      transfer_image_version = "0.0.12"
-      notify_image_version   = "0.0.13"
+      scan_image_version     = "0.0.8"
+      transfer_image_version = "0.0.13"
+      notify_image_version   = "0.0.14"
 
       /* Target Buckets */
       target_buckets = ["mojap-land-dev"]
@@ -44,9 +44,9 @@ locals {
       observability_platform = "production"
 
       /* Image Versions */
-      scan_image_version     = "0.0.7"
-      transfer_image_version = "0.0.12"
-      notify_image_version   = "0.0.13"
+      scan_image_version     = "0.0.8"
+      transfer_image_version = "0.0.13"
+      notify_image_version   = "0.0.14"
 
       /* Target Buckets */
       target_buckets = ["mojap-land"]
diff --git a/terraform/environments/ccms-ebs/ccms-waf.tf b/terraform/environments/ccms-ebs/ccms-waf.tf
index 67bca7d020d..8e56a650a5e 100644
--- a/terraform/environments/ccms-ebs/ccms-waf.tf
+++ b/terraform/environments/ccms-ebs/ccms-waf.tf
@@ -30,6 +30,10 @@ resource "aws_wafv2_ip_set" "ebs_waf_ip_set" {
     "20.49.214.228/32",   // Azure Landing Zone Egress
     "51.149.251.0/24",    // MoJO Pre-Production Account BYOIP CIDR range
     "51.149.249.64/29",   // 10SC Model Office
+    "194.33.200.0/21",    // PRP DIA Sites
+    "194.33.216.0/23",    // PRP DIA Sites
+    "194.33.218.0/24",    // PRP DIA Sites
+    "128.77.75.64/26",    // Palo Alto Prisma Access Egress IP Addresses
     "10.26.59.0/25",      // DEV NLB Subnet eu-west-2a
     "10.26.59.128/25",    // DEV NLB Subnet eu-west-2b
     "10.26.60.0/25",      // DEV NLB Subnet eu-west-2c
diff --git a/terraform/environments/cdpt-ifs/loadbalancer.tf b/terraform/environments/cdpt-ifs/loadbalancer.tf
index 8fe06aa62fc..ed95db3532a 100644
--- a/terraform/environments/cdpt-ifs/loadbalancer.tf
+++ b/terraform/environments/cdpt-ifs/loadbalancer.tf
@@ -8,7 +8,7 @@
 #     from_port   = 443
 #     to_port     = 443
 #     protocol    = "tcp"
-#     cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"]
+#     cidr_blocks = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26","194.33.200.0/21","194.33.216.0/23","194.33.218.0/24","128.77.75.64/26"]
 #   }
 
 #   egress {
@@ -89,7 +89,7 @@ module "lb_access_logs_enabled" {
   account_number             = local.environment_management.account_ids[terraform.workspace]
   region                     = "eu-west-2"
   enable_deletion_protection = false
-  idle_timeout               = 60
+  idle_timeout               = 180
   tags                       = { Name = "lb_module" }
 
 }
@@ -187,4 +187,5 @@ resource "aws_lb_listener" "https_listener" {
     target_group_arn = aws_lb_target_group.ifs_target_group.id
     type             = "forward"
   }
+
 }
diff --git a/terraform/environments/cdpt-ifs/locals.tf b/terraform/environments/cdpt-ifs/locals.tf
index 7a58e2311c6..f5f7b34de79 100644
--- a/terraform/environments/cdpt-ifs/locals.tf
+++ b/terraform/environments/cdpt-ifs/locals.tf
@@ -26,7 +26,7 @@ locals {
       from_port       = 443
       to_port         = 443
       protocol        = "tcp"
-      cidr_blocks     = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26"]
+      cidr_blocks     = ["188.214.15.75/32", "192.168.5.101/32", "81.134.202.29/32", "79.152.189.104/32", "179.50.12.212/32", "188.172.252.34/32", "194.33.192.0/25", "194.33.193.0/25", "194.33.196.0/25", "194.33.197.0/25", "195.59.75.0/24", "201.33.21.5/32", "213.121.161.112/28", "52.67.148.55/32", "54.94.206.111/32", "178.248.34.42/32", "178.248.34.43/32", "178.248.34.44/32", "178.248.34.45/32", "178.248.34.46/32", "178.248.34.47/32", "89.32.121.144/32", "185.191.249.100/32", "2.138.20.8/32", "18.169.147.172/32", "35.176.93.186/32", "18.130.148.126/32", "35.176.148.126/32", "51.149.250.0/24", "51.149.249.0/29", "194.33.249.0/29", "51.149.249.32/29", "194.33.248.0/29", "20.49.214.199/32", "20.49.214.228/32", "20.26.11.71/32", "20.26.11.108/32", "128.77.75.128/26", "194.33.200.0/21", "194.33.216.0/23", "194.33.218.0/24", "128.77.75.64/26"]
       security_groups = []
     }
   }
diff --git a/terraform/environments/contract-work-administration/app_servers.tf b/terraform/environments/contract-work-administration/app_servers.tf
index f666e816f8b..bd44960778f 100644
--- a/terraform/environments/contract-work-administration/app_servers.tf
+++ b/terraform/environments/contract-work-administration/app_servers.tf
@@ -107,9 +107,9 @@ ln -s /bin/mail /bin/mailx
 
 ## Update the send mail url
 echo "Update Sendmail configurations"
-sed -i 's/${local.application_data.accounts[local.environment].old_mail_server_url}/${aws_route53_record.smtp.name}/g' /etc/mail/sendmail.cf
+sed -i 's/${local.application_data.accounts[local.environment].old_mail_server_url}/${local.application_data.accounts[local.environment].laa_mail_relay_url}/g' /etc/mail/sendmail.cf
 sed -i 's/${local.application_data.accounts[local.environment].old_domain_name}/${data.aws_route53_zone.external.name}/g' /etc/mail/sendmail.cf
-sed -i 's/${local.application_data.accounts[local.environment].old_mail_server_url}/${aws_route53_record.smtp.name}/g' /etc/mail/sendmail.mc
+sed -i 's/${local.application_data.accounts[local.environment].old_mail_server_url}/${local.application_data.accounts[local.environment].laa_mail_relay_url}/g' /etc/mail/sendmail.mc
 sed -i 's/${local.application_data.accounts[local.environment].old_domain_name}/${data.aws_route53_zone.external.name}/g' /etc/mail/sendmail.mc
 /etc/init.d/sendmail restart
 
diff --git a/terraform/environments/contract-work-administration/application_variables.json b/terraform/environments/contract-work-administration/application_variables.json
index a87e4fac4ad..2fdcc607cfd 100644
--- a/terraform/environments/contract-work-administration/application_variables.json
+++ b/terraform/environments/contract-work-administration/application_variables.json
@@ -43,9 +43,8 @@
       "database_diskspace_threshold": "95",
       "database_read_write_ops_threshold": "1100000",
       "database_oradata_queue_length_threshold": "3",
-      "smtp_ami_id": "ami-07c2c2bf769d5174d",
-      "smtp_instance_type": "t2.large",
       "old_mail_server_url": "mail.aws.dev.legalservices.gov.uk",
+      "laa_mail_relay_url": "laa-mail.laa-development.modernisation-platform.service.justice.gov.uk",
       "old_domain_name": "dev.legalservices.gov.uk",
       "app_disk_space_alert_threshold": "92"
     },
diff --git a/terraform/environments/contract-work-administration/concurrent_manager.tf b/terraform/environments/contract-work-administration/concurrent_manager.tf
index ecfa403b72f..01144e6a2d0 100644
--- a/terraform/environments/contract-work-administration/concurrent_manager.tf
+++ b/terraform/environments/contract-work-administration/concurrent_manager.tf
@@ -108,9 +108,9 @@ ln -s /bin/mail /bin/mailx
 
 ## Update the send mail url
 echo "Updating the sendmail config"
-sed -i 's/${local.application_data.accounts[local.environment].old_mail_server_url}/${aws_route53_record.smtp.name}/g' /etc/mail/sendmail.cf
+sed -i 's/${local.application_data.accounts[local.environment].old_mail_server_url}/${local.application_data.accounts[local.environment].laa_mail_relay_url}/g' /etc/mail/sendmail.cf
 sed -i 's/${local.application_data.accounts[local.environment].old_domain_name}/${data.aws_route53_zone.external.name}/g' /etc/mail/sendmail.cf
-sed -i 's/${local.application_data.accounts[local.environment].old_mail_server_url}/${aws_route53_record.smtp.name}/g' /etc/mail/sendmail.mc
+sed -i 's/${local.application_data.accounts[local.environment].old_mail_server_url}/${local.application_data.accounts[local.environment].laa_mail_relay_url}/g' /etc/mail/sendmail.mc
 sed -i 's/${local.application_data.accounts[local.environment].old_domain_name}/${data.aws_route53_zone.external.name}/g' /etc/mail/sendmail.mc
 /etc/init.d/sendmail restart
 
diff --git a/terraform/environments/contract-work-administration/database.tf b/terraform/environments/contract-work-administration/database.tf
index ea977c32cc1..86b42d9c381 100644
--- a/terraform/environments/contract-work-administration/database.tf
+++ b/terraform/environments/contract-work-administration/database.tf
@@ -79,9 +79,9 @@ echo "$CM_IP	${local.application_name_short}-app2.${data.aws_route53_zone.extern
 
 ## Update the send mail url
 echo "Update Sendmail configurations"
-sed -i 's/${local.application_data.accounts[local.environment].old_mail_server_url}/${aws_route53_record.smtp.name}/g' /etc/mail/sendmail.cf
+sed -i 's/${local.application_data.accounts[local.environment].old_mail_server_url}/${local.application_data.accounts[local.environment].laa_mail_relay_url}/g' /etc/mail/sendmail.cf
 sed -i 's/${local.application_data.accounts[local.environment].old_domain_name}/${data.aws_route53_zone.external.name}/g' /etc/mail/sendmail.cf
-sed -i 's/${local.application_data.accounts[local.environment].old_mail_server_url}/${aws_route53_record.smtp.name}/g' /etc/mail/sendmail.mc
+sed -i 's/${local.application_data.accounts[local.environment].old_mail_server_url}/${local.application_data.accounts[local.environment].laa_mail_relay_url}/g' /etc/mail/sendmail.mc
 sed -i 's/${local.application_data.accounts[local.environment].old_domain_name}/${data.aws_route53_zone.external.name}/g' /etc/mail/sendmail.mc
 /etc/init.d/sendmail restart
 
diff --git a/terraform/environments/contract-work-administration/ec2_iam_profile.tf b/terraform/environments/contract-work-administration/ec2_iam_profile.tf
index 002fccac67f..60a4bcae17b 100644
--- a/terraform/environments/contract-work-administration/ec2_iam_profile.tf
+++ b/terraform/environments/contract-work-administration/ec2_iam_profile.tf
@@ -115,93 +115,4 @@ resource "aws_iam_role_policy_attachment" "cw_agent" {
 resource "aws_iam_role_policy_attachment" "cwa" {
   role       = aws_iam_role.cwa.name
   policy_arn = aws_iam_policy.cwa.arn
-}
-
-################################
-# SMTP EC2 Instance Profile 
-################################
-
-resource "aws_iam_instance_profile" "smtp" {
-  name = "${local.application_name}-smtp-instance-profile"
-  role = aws_iam_role.smtp.name
-  tags = merge(
-    local.tags,
-    {
-      Name = "${local.application_name}-smtp-instance-profile"
-    }
-  )
-}
-
-resource "aws_iam_role" "smtp" {
-  name = "${local.application_name}-smtp-instance-role"
-  tags = merge(
-    local.tags,
-    {
-      Name = "${local.application_name}-smtp-instance-role"
-    }
-  )
-  path               = "/"
-  assume_role_policy = <<EOF
-{
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Action": "sts:AssumeRole",
-            "Principal": {
-               "Service": "ec2.amazonaws.com"
-            },
-            "Effect": "Allow",
-            "Sid": ""
-        }
-    ]
-}
-EOF
-}
-
-resource "aws_iam_policy" "smtp" {
-  name = "${local.application_name}-smtp-iam-policy"
-  tags = merge(
-    local.tags,
-    {
-      Name = "${local.application_name}-smtp-iam-policy"
-    }
-  )
-  policy = <<EOF
-{
-    "Version" : "2012-10-17",
-    "Statement": [
-        {
-            "Action": [
-                "logs:CreateLogGroup",
-                "logs:CreateLogStream",
-                "logs:DescribeLogStreams",
-                "logs:PutRetentionPolicy",
-                "logs:PutLogEvents",
-                "ec2:DescribeInstances"
-            ],
-            "Resource": "*",
-            "Effect": "Allow"
-        },
-        {
-            "Action": [
-                "secretsmanager:GetSecretValue"
-            ],
-            "Resource": [
-                "arn:aws:secretsmanager:eu-west-2:${data.aws_caller_identity.current.account_id}:secret:postfix/app/*"
-            ],
-            "Effect": "Allow"
-        }
-    ]
-}
-EOF
-}
-
-resource "aws_iam_role_policy_attachment" "smtp" {
-  role       = aws_iam_role.smtp.name
-  policy_arn = aws_iam_policy.smtp.arn
-}
-
-resource "aws_iam_role_policy_attachment" "smtp_ssm" {
-  role       = aws_iam_role.smtp.name
-  policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
 }
\ No newline at end of file
diff --git a/terraform/environments/contract-work-administration/route53.tf b/terraform/environments/contract-work-administration/route53.tf
index 001bf0a0ba4..975eb092b43 100644
--- a/terraform/environments/contract-work-administration/route53.tf
+++ b/terraform/environments/contract-work-administration/route53.tf
@@ -49,14 +49,4 @@ resource "aws_route53_record" "external" {
     zone_id                = aws_lb.external.zone_id
     evaluate_target_health = true
   }
-}
-
-# Domain A record for SMTP server
-resource "aws_route53_record" "smtp" {
-  provider = aws.core-vpc
-  zone_id  = data.aws_route53_zone.external.zone_id
-  name     = "${local.application_name_short}-mail.${data.aws_route53_zone.external.name}"
-  type     = "A"
-  ttl      = "60"
-  records  = [aws_instance.smtp.private_ip]
 }
\ No newline at end of file
diff --git a/terraform/environments/corporate-staff-rostering/lambda.tf b/terraform/environments/corporate-staff-rostering/lambda.tf
index 568de498c27..1e1a227dbf2 100644
--- a/terraform/environments/corporate-staff-rostering/lambda.tf
+++ b/terraform/environments/corporate-staff-rostering/lambda.tf
@@ -62,60 +62,3 @@ resource "aws_cloudwatch_event_target" "lambda_ad_clean_up" {
 }
 
 # END: lambda_ad_object_clean_up
-# START: lambda_cw_logs_xml_to_json
-locals {
-  lambda_cw_logs_xml_to_json = {
-    monitored_log_group = "cwagent-windows-application"
-    function_name       = "cw-logs-xml-to-json"
-  }
-}
-
-module "lambda_cw_logs_xml_to_json" {
-  #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
-  # This is an internal module so commit hashes are not needed
-  source = "github.com/ministryofjustice/modernisation-platform-terraform-lambda-function?ref=v3.1.0"
-
-  application_name = local.lambda_cw_logs_xml_to_json.function_name
-  function_name    = local.lambda_cw_logs_xml_to_json.function_name
-  role_name        = local.lambda_cw_logs_xml_to_json.function_name
-
-  package_type     = "Zip"
-  filename         = "${path.module}/lambda/cw-xml-to-json/deployment_package.zip"
-  source_code_hash = filebase64sha256("${path.module}/lambda/cw-xml-to-json/deployment_package.zip")
-  runtime          = "python3.12"
-  handler          = "lambda_function.lambda_handler"
-
-  policy_json_attached = true
-  policy_json = jsonencode({
-    Version = "2012-10-17",
-    Statement = [
-      {
-        Action = [
-          "logs:CreateLogGroup",
-          "logs:CreateLogStream",
-          "logs:PutLogEvents",
-          "logs:DescribeLogStreams"
-        ],
-        Effect   = "Allow",
-        Resource = "arn:aws:logs:*:*:*"
-      },
-    ]
-  })
-
-  allowed_triggers = {
-    AllowExecutionFromCloudWatch = {
-      principal  = "logs.amazonaws.com"
-      source_arn = "${module.baseline.cloudwatch_log_groups[local.lambda_cw_logs_xml_to_json.monitored_log_group].arn}:*"
-    }
-  }
-
-  tags = {}
-}
-
-resource "aws_cloudwatch_log_subscription_filter" "cw_logs_xml_to_json" {
-  name            = "cw-logs-xml-to-json"
-  log_group_name  = local.lambda_cw_logs_xml_to_json.monitored_log_group
-  filter_pattern  = ""
-  destination_arn = module.lambda_cw_logs_xml_to_json.lambda_function_arn
-}
-# END: lambda_cw_logs_xml_to_json
diff --git a/terraform/environments/corporate-staff-rostering/lambda/cw-xml-to-json/.gitignore b/terraform/environments/corporate-staff-rostering/lambda/cw-xml-to-json/.gitignore
deleted file mode 100644
index 397b4a7624e..00000000000
--- a/terraform/environments/corporate-staff-rostering/lambda/cw-xml-to-json/.gitignore
+++ /dev/null
@@ -1 +0,0 @@
-*.log
diff --git a/terraform/environments/corporate-staff-rostering/lambda/cw-xml-to-json/build-lambda-zip.sh b/terraform/environments/corporate-staff-rostering/lambda/cw-xml-to-json/build-lambda-zip.sh
deleted file mode 100755
index e6ae332aafe..00000000000
--- a/terraform/environments/corporate-staff-rostering/lambda/cw-xml-to-json/build-lambda-zip.sh
+++ /dev/null
@@ -1,60 +0,0 @@
-#!/usr/bin/env bash
-
-# This script must be executed with the Lambda's
-# python source directory in lambda/ as the working
-# directory ($PWD).
-# The ZIP file must be committed in that same directory.
-
-readonly LOG_FILE=lambda-build-$(date "+%Y%m%dT%H%M%S").log
-
-exec 3>&1 4>&2
-trap 'exec 2>&4 1>&3' 0 1 2 3
-exec 1>"$LOG_FILE" 2>&1
-
-readonly SOURCE_DIR="."
-readonly LAMBDA_ZIP="deployment_package.zip"
-readonly BUILD_DIR="build"
-readonly VENV_DIR="venv"
-
-msg() {
-	echo "$@" >&3
-}
-
-dependencies=(
-	"python3"
-	"zip"
-)
-
-for cmd in "${dependencies[@]}"; do
-	if ! command -v "$cmd" &>/dev/null; then
-		msg "Error: Required command '$cmd' is not available."
-		exit 1
-	fi
-done
-
-msg "Creating virtual environment..."
-python3 -m venv $VENV_DIR
-
-msg "Activating virtual environment..."
-# shellcheck disable=SC1091
-source $VENV_DIR/bin/activate
-
-mkdir -p $BUILD_DIR
-
-msg "Downloading requirements..."
-pip install --requirement "$SOURCE_DIR/requirements.txt" --target $BUILD_DIR
-
-msg "Copying source files..."
-cp "$SOURCE_DIR/requirements.txt" $BUILD_DIR/
-cp "$SOURCE_DIR"/*.py $BUILD_DIR/
-
-msg "Creating ZIP file..."
-(cd $BUILD_DIR && zip --recurse-paths ../$LAMBDA_ZIP ./*)
-
-msg "Cleaning up..."
-deactivate
-rm -rf $BUILD_DIR $VENV_DIR
-
-msg
-msg "Lambda package created: $LAMBDA_ZIP"
-msg "Full log: $LOG_FILE"
diff --git a/terraform/environments/corporate-staff-rostering/lambda/cw-xml-to-json/deployment_package.zip b/terraform/environments/corporate-staff-rostering/lambda/cw-xml-to-json/deployment_package.zip
deleted file mode 100644
index 7ba3764c9f1..00000000000
Binary files a/terraform/environments/corporate-staff-rostering/lambda/cw-xml-to-json/deployment_package.zip and /dev/null differ
diff --git a/terraform/environments/corporate-staff-rostering/lambda/cw-xml-to-json/lambda_function.py b/terraform/environments/corporate-staff-rostering/lambda/cw-xml-to-json/lambda_function.py
deleted file mode 100644
index f64739c094f..00000000000
--- a/terraform/environments/corporate-staff-rostering/lambda/cw-xml-to-json/lambda_function.py
+++ /dev/null
@@ -1,76 +0,0 @@
-import base64
-import json
-import zlib
-
-import boto3
-from botocore.exceptions import ClientError
-import xmltodict
-
-
-DEST_LOG_GROUP = "cwagent-windows-application-json"
-
-
-def xml_to_dict(xml_string):
-    try:
-        xml_dict = xmltodict.parse(xml_string)
-        return xml_dict
-    except Exception as e:
-        return f"Error: {e}"
-
-
-def create_log_stream(log_group_name, log_stream_name):
-    client = boto3.client("logs")
-
-    try:
-        response = client.describe_log_streams(
-            logGroupName=log_group_name, logStreamNamePrefix=log_stream_name, limit=1
-        )
-
-        streams = response.get("logStreams", [])
-        if not any(s["logStreamName"] == log_stream_name for s in streams):
-            print("Creating new log stream.")
-            client.create_log_stream(
-                logGroupName=log_group_name, logStreamName=log_stream_name
-            )
-
-    except ClientError as e:
-        print(f"An error occurred: {e}")
-
-
-def lambda_handler(event, context):
-    print("Processing log event.")
-
-    logs_client = boto3.client("logs")
-
-    compressed_payload = base64.b64decode(event["awslogs"]["data"])
-    uncompressed_payload = zlib.decompress(compressed_payload, 16 + zlib.MAX_WBITS)
-
-    log_data = json.loads(uncompressed_payload)
-
-    print(log_data)
-
-    dest_log_group = DEST_LOG_GROUP
-    dest_log_stream = log_data["logStream"]
-
-    create_log_stream(dest_log_group, dest_log_stream)
-
-    for log_event in log_data["logEvents"]:
-        new_log_message = {
-            "_": {"sourceLogStream": log_data["logStream"]}
-        } | xml_to_dict(log_event["message"])
-
-        new_log_event = {
-            "timestamp": log_event["timestamp"],
-            "message": json.dumps(new_log_message),
-        }
-
-        print("Putting new log event.")
-        print(new_log_event)
-
-        logs_client.put_log_events(
-            logGroupName=dest_log_group,
-            logStreamName=dest_log_stream,
-            logEvents=[new_log_event],
-        )
-
-    return {"statusCode": 200, "body": json.dumps("Log processing complete.")}
diff --git a/terraform/environments/corporate-staff-rostering/lambda/cw-xml-to-json/requirements.txt b/terraform/environments/corporate-staff-rostering/lambda/cw-xml-to-json/requirements.txt
deleted file mode 100644
index 75186eced91..00000000000
--- a/terraform/environments/corporate-staff-rostering/lambda/cw-xml-to-json/requirements.txt
+++ /dev/null
@@ -1,2 +0,0 @@
-xmltodict~=0.13
-boto3
diff --git a/terraform/environments/corporate-staff-rostering/locals.tf b/terraform/environments/corporate-staff-rostering/locals.tf
index 590f6d586a5..064106fa5b9 100644
--- a/terraform/environments/corporate-staff-rostering/locals.tf
+++ b/terraform/environments/corporate-staff-rostering/locals.tf
@@ -46,11 +46,6 @@ locals {
       enable_s3_software_bucket                   = true
       s3_iam_policies                             = ["EC2S3BucketWriteAndDeleteAccessPolicy"]
       software_bucket_name                        = "csr-software"
-      sns_topics = {
-        pagerduty_integrations = {
-          csr_pagerduty = "csr_alarms"
-        }
-      }
     }
   }
 
@@ -68,8 +63,6 @@ locals {
       }
     })
 
-    cloudwatch_log_metric_filters = local.cloudwatch_app_log_metric_filters
-
     iam_policies = {
       CSRWebServerPolicy = {
         description = "Policy allowing access to instances via the Serial Console"
diff --git a/terraform/environments/corporate-staff-rostering/locals_cloudwatch_app_log.tf b/terraform/environments/corporate-staff-rostering/locals_cloudwatch_app_log.tf
deleted file mode 100644
index 9935f89ff60..00000000000
--- a/terraform/environments/corporate-staff-rostering/locals_cloudwatch_app_log.tf
+++ /dev/null
@@ -1,81 +0,0 @@
-# additional infra for these metrics can be found in the lambda sources
-locals {
-  cloudwatch_app_log_metric_filters_meta = {
-    log_group_name = "cwagent-windows-application-json"
-    namespace      = "ApplicationLog"
-  }
-  cloudwatch_app_log_metric_filters_defaults = {
-    log_group_name = local.cloudwatch_app_log_metric_filters_meta.log_group_name
-
-    metric_transformation = {
-      namespace = local.cloudwatch_app_log_metric_filters_meta.namespace
-      value     = 1
-      dimensions = {
-        "InstanceId" = "$._.sourceLogStream"
-      }
-    }
-  }
-  cloudwatch_app_log_metric_filters = {
-    iwfm-enterprise-server-started = merge(local.cloudwatch_app_log_metric_filters_defaults, {
-      pattern = "{ $.Event.RenderingInfo.Message = %^iWFM Enterprise Server v.+ daemon started\\.% }"
-
-      metric_transformation = merge(local.cloudwatch_app_log_metric_filters_defaults.metric_transformation, {
-        name = "iWFMEnterpriseServerStarted"
-      })
-    })
-    iwfm-enterprise-server-terminated = merge(local.cloudwatch_app_log_metric_filters_defaults, {
-      # `\x28` and `\x29` denote `(` and `)` respectively.
-      # this is because AWS do not allow parentheses in the filter pattern.
-      pattern = "{ $.Event.RenderingInfo.Message = %^iWFM Enterprise Server \\x28PID \\d+\\x29 terminated\\.% }"
-
-      metric_transformation = merge(local.cloudwatch_app_log_metric_filters_defaults.metric_transformation, {
-        name = "iWFMEnterpriseServerTerminated"
-      })
-    })
-    invision-http-server-started = merge(local.cloudwatch_app_log_metric_filters_defaults, {
-      pattern = "{ $.Event.RenderingInfo.Message = %^InVision HTTP Server started\\.% }"
-
-      metric_transformation = merge(local.cloudwatch_app_log_metric_filters_defaults.metric_transformation, {
-        name = "InVisionHTTPServerStarted"
-      })
-    })
-    invision-http-server-terminated = merge(local.cloudwatch_app_log_metric_filters_defaults, {
-      # `\x28` and `\x29` denote `(` and `)` respectively.
-      # this is because AWS do not allow parentheses in the filter pattern.
-      pattern = "{ $.Event.RenderingInfo.Message = %^InVision HTTP Server \\x28PID \\d+\\x29 terminated\\.% }"
-
-      metric_transformation = merge(local.cloudwatch_app_log_metric_filters_defaults.metric_transformation, {
-        name = "InVisionHTTPServerTerminated"
-      })
-    })
-  }
-  cloudwatch_app_log_metric_alarms_defaults = {
-    namespace           = local.cloudwatch_app_log_metric_filters_meta.namespace
-    period              = 60
-    evaluation_periods  = 1
-    statistic           = "Sum"
-    comparison_operator = "GreaterThanThreshold"
-    threshold           = 2
-    treat_missing_data  = "notBreaching"
-  }
-  # these alarms are applied directly to ec2 instances.
-  # see the configs for individual instances.
-  cloudwatch_app_log_metric_alarms = {
-    app = {
-      iwfm-enterprise-server-started = merge(local.cloudwatch_app_log_metric_alarms_defaults, {
-        metric_name = local.cloudwatch_app_log_metric_filters.iwfm-enterprise-server-started.metric_transformation.name
-      })
-      iwfm-enterprise-server-terminated = merge(local.cloudwatch_app_log_metric_alarms_defaults, {
-        metric_name = local.cloudwatch_app_log_metric_filters.iwfm-enterprise-server-terminated.metric_transformation.name
-      })
-    }
-    web = {
-      invision-http-server-started = merge(local.cloudwatch_app_log_metric_alarms_defaults, {
-        metric_name = local.cloudwatch_app_log_metric_filters.invision-http-server-started.metric_transformation.name
-      })
-      invision-http-server-terminated = merge(local.cloudwatch_app_log_metric_alarms_defaults, {
-        metric_name = local.cloudwatch_app_log_metric_filters.invision-http-server-terminated.metric_transformation.name
-      })
-    }
-  }
-}
diff --git a/terraform/environments/corporate-staff-rostering/locals_cloudwatch_metric_alarms.tf b/terraform/environments/corporate-staff-rostering/locals_cloudwatch_metric_alarms.tf
index a589629eb13..287da9901f8 100644
--- a/terraform/environments/corporate-staff-rostering/locals_cloudwatch_metric_alarms.tf
+++ b/terraform/environments/corporate-staff-rostering/locals_cloudwatch_metric_alarms.tf
@@ -1,12 +1,44 @@
 locals {
 
   cloudwatch_metric_alarms = {
+    windows = {
+      cwagent-process-count = {
+        alarm_description   = "The CloudWatch agent runs 2 processes. If the PID count drops below 2, the agent is not functioning as expected."
+        namespace           = "CWAgent"
+        metric_name         = "procstat_lookup pid_count"
+        period              = 60
+        evaluation_periods  = 1
+        statistic           = "Average"
+        comparison_operator = "LessThanThreshold"
+        threshold           = 2 # CloudWatch agent runs 2 processes
+        treat_missing_data  = "breaching"
+        dimensions = {
+          exe        = "amazon-cloudwatch-agent"
+          pid_finder = "native"
+        }
+      }
+      ssm-agent-process-count = {
+        alarm_description   = "The SSM agent runs 2 processes. If the PID count drops below 2, the agent is not functioning as expected."
+        namespace           = "CWAgent"
+        metric_name         = "procstat_lookup pid_count"
+        period              = 60
+        evaluation_periods  = 1
+        statistic           = "Average"
+        comparison_operator = "LessThanThreshold"
+        threshold           = 2 # SSM agent runs 2 processes
+        treat_missing_data  = "breaching"
+        dimensions = {
+          exe        = "ssm-agent"
+          pid_finder = "native"
+        }
+      }
+    }
     app = merge(
-      module.baseline_presets.cloudwatch_metric_alarms_by_sns_topic["csr_pagerduty"].ec2,
-      module.baseline_presets.cloudwatch_metric_alarms_by_sns_topic["csr_pagerduty"].ec2_cwagent_windows,
-      module.baseline_presets.cloudwatch_metric_alarms_by_sns_topic["csr_pagerduty"].ec2_instance_or_cwagent_stopped_windows,
-      local.cloudwatch_app_log_metric_alarms.app, {
-        high-memory-usage = merge(module.baseline_presets.cloudwatch_metric_alarms_by_sns_topic["csr_pagerduty"].ec2_cwagent_windows["high-memory-usage"], {
+      module.baseline_presets.cloudwatch_metric_alarms.ec2,
+      module.baseline_presets.cloudwatch_metric_alarms.ec2_cwagent_windows,
+      module.baseline_presets.cloudwatch_metric_alarms.ec2_instance_or_cwagent_stopped_windows,
+      {
+        high-memory-usage = merge(module.baseline_presets.cloudwatch_metric_alarms.ec2_cwagent_windows["high-memory-usage"], {
           threshold           = "75"
           period              = "60" # seconds
           evaluation_periods  = "20"
@@ -17,17 +49,17 @@ locals {
     )
 
     db = merge(
-      module.baseline_presets.cloudwatch_metric_alarms_by_sns_topic["csr_pagerduty"].ec2,
-      module.baseline_presets.cloudwatch_metric_alarms_by_sns_topic["csr_pagerduty"].ec2_cwagent_linux,
-      module.baseline_presets.cloudwatch_metric_alarms_by_sns_topic["csr_pagerduty"].ec2_instance_or_cwagent_stopped_linux,
+      module.baseline_presets.cloudwatch_metric_alarms.ec2,
+      module.baseline_presets.cloudwatch_metric_alarms.ec2_cwagent_linux,
+      module.baseline_presets.cloudwatch_metric_alarms.ec2_instance_or_cwagent_stopped_linux,
       local.environment == "production" ? {} : {
-        cpu-utilization-high = merge(module.baseline_presets.cloudwatch_metric_alarms_by_sns_topic["csr_pagerduty"].ec2["cpu-utilization-high"], {
+        cpu-utilization-high = merge(module.baseline_presets.cloudwatch_metric_alarms.ec2["cpu-utilization-high"], {
           evaluation_periods  = "480"
           datapoints_to_alarm = "480"
           threshold           = "95"
           alarm_description   = "Triggers if the average cpu remains at 95% utilization or above for 8 hours to allow for DB refreshes. See https://dsdmoj.atlassian.net/wiki/spaces/DSTT/pages/4326064583"
         })
-        cpu-iowait-high = merge(module.baseline_presets.cloudwatch_metric_alarms_by_sns_topic["csr_pagerduty"].ec2_cwagent_linux["cpu-iowait-high"], {
+        cpu-iowait-high = merge(module.baseline_presets.cloudwatch_metric_alarms.ec2_cwagent_linux["cpu-iowait-high"], {
           evaluation_periods  = "480"
           datapoints_to_alarm = "480"
           threshold           = "40"
@@ -37,14 +69,13 @@ locals {
     )
 
     db_backup = merge(
-      module.baseline_presets.cloudwatch_metric_alarms_by_sns_topic["csr_pagerduty"].ec2_instance_cwagent_collectd_oracle_db_backup,
+      module.baseline_presets.cloudwatch_metric_alarms.ec2_instance_cwagent_collectd_oracle_db_backup,
     )
 
     web = merge(
-      module.baseline_presets.cloudwatch_metric_alarms_by_sns_topic["csr_pagerduty"].ec2,
-      module.baseline_presets.cloudwatch_metric_alarms_by_sns_topic["csr_pagerduty"].ec2_cwagent_windows,
-      module.baseline_presets.cloudwatch_metric_alarms_by_sns_topic["csr_pagerduty"].ec2_instance_or_cwagent_stopped_windows,
-      local.cloudwatch_app_log_metric_alarms.web,
+      module.baseline_presets.cloudwatch_metric_alarms.ec2,
+      module.baseline_presets.cloudwatch_metric_alarms.ec2_cwagent_windows,
+      module.baseline_presets.cloudwatch_metric_alarms.ec2_instance_or_cwagent_stopped_windows,
     )
   }
 }
diff --git a/terraform/environments/corporate-staff-rostering/locals_ec2_instances.tf b/terraform/environments/corporate-staff-rostering/locals_ec2_instances.tf
index 3e43c8406b8..1b0e1384d97 100644
--- a/terraform/environments/corporate-staff-rostering/locals_ec2_instances.tf
+++ b/terraform/environments/corporate-staff-rostering/locals_ec2_instances.tf
@@ -3,7 +3,10 @@ locals {
   ec2_instances = {
 
     app = {
-      cloudwatch_metric_alarms = local.cloudwatch_metric_alarms.app
+      cloudwatch_metric_alarms = merge(
+        local.cloudwatch_metric_alarms.windows,
+        local.cloudwatch_metric_alarms.app,
+      )
       config = {
         ami_owner                     = "self"
         availability_zone             = "eu-west-2a"
@@ -112,7 +115,10 @@ locals {
     }
 
     web = {
-      cloudwatch_metric_alarms = local.cloudwatch_metric_alarms.web
+      cloudwatch_metric_alarms = merge(
+        local.cloudwatch_metric_alarms.windows,
+        local.cloudwatch_metric_alarms.web,
+      )
       config = {
         ami_owner                     = "self"
         availability_zone             = "eu-west-2a"
diff --git a/terraform/environments/corporate-staff-rostering/locals_lbs.tf b/terraform/environments/corporate-staff-rostering/locals_lbs.tf
index 9c975b1bf3d..bec724374c3 100644
--- a/terraform/environments/corporate-staff-rostering/locals_lbs.tf
+++ b/terraform/environments/corporate-staff-rostering/locals_lbs.tf
@@ -106,27 +106,27 @@ locals {
       }
       listeners = {
         http = {
-          cloudwatch_metric_alarms = module.baseline_presets.cloudwatch_metric_alarms_by_sns_topic["csr_pagerduty"].network_lb
+          cloudwatch_metric_alarms = module.baseline_presets.cloudwatch_metric_alarms.network_lb
           port                     = 80
           protocol                 = "TCP"
         }
         http-7770 = {
-          cloudwatch_metric_alarms = module.baseline_presets.cloudwatch_metric_alarms_by_sns_topic["csr_pagerduty"].network_lb
+          cloudwatch_metric_alarms = module.baseline_presets.cloudwatch_metric_alarms.network_lb
           port                     = 7770
           protocol                 = "TCP"
         }
         http-7771 = {
-          cloudwatch_metric_alarms = module.baseline_presets.cloudwatch_metric_alarms_by_sns_topic["csr_pagerduty"].network_lb
+          cloudwatch_metric_alarms = module.baseline_presets.cloudwatch_metric_alarms.network_lb
           port                     = 7771
           protocol                 = "TCP"
         }
         http-7780 = {
-          cloudwatch_metric_alarms = module.baseline_presets.cloudwatch_metric_alarms_by_sns_topic["csr_pagerduty"].network_lb
+          cloudwatch_metric_alarms = module.baseline_presets.cloudwatch_metric_alarms.network_lb
           port                     = 7780
           protocol                 = "TCP"
         }
         http-7781 = {
-          cloudwatch_metric_alarms = module.baseline_presets.cloudwatch_metric_alarms_by_sns_topic["csr_pagerduty"].network_lb
+          cloudwatch_metric_alarms = module.baseline_presets.cloudwatch_metric_alarms.network_lb
           port                     = 7781
           protocol                 = "TCP"
         }
diff --git a/terraform/environments/corporate-staff-rostering/locals_preproduction.tf b/terraform/environments/corporate-staff-rostering/locals_preproduction.tf
index 8778fd40c9b..29db5947c48 100644
--- a/terraform/environments/corporate-staff-rostering/locals_preproduction.tf
+++ b/terraform/environments/corporate-staff-rostering/locals_preproduction.tf
@@ -2,6 +2,12 @@ locals {
 
   baseline_presets_preproduction = {
     options = {
+      cloudwatch_metric_alarms_default_actions    = ["pagerduty"]
+      sns_topics = {
+        pagerduty_integrations = {
+          pagerduty = "corporate-staff-rostering-preproduction"
+        }
+      }
     }
   }
 
diff --git a/terraform/environments/corporate-staff-rostering/locals_production.tf b/terraform/environments/corporate-staff-rostering/locals_production.tf
index 57dfded57b0..ec4d88f62f5 100644
--- a/terraform/environments/corporate-staff-rostering/locals_production.tf
+++ b/terraform/environments/corporate-staff-rostering/locals_production.tf
@@ -2,7 +2,13 @@ locals {
 
   baseline_presets_production = {
     options = {
-      db_backup_lifecycle_rule = "rman_backup_one_month"
+      cloudwatch_metric_alarms_default_actions    = ["pagerduty"]
+      db_backup_lifecycle_rule = "rman_backup_one_month"      
+      sns_topics = {
+        pagerduty_integrations = {
+          pagerduty = "corporate-staff-rostering-production"
+        }
+      }
     }
   }
 
diff --git a/terraform/environments/corporate-staff-rostering/templates/cloud_watch_windows.json b/terraform/environments/corporate-staff-rostering/templates/cloud_watch_windows.json
index 1dbb63b88cb..82d0dbafc17 100644
--- a/terraform/environments/corporate-staff-rostering/templates/cloud_watch_windows.json
+++ b/terraform/environments/corporate-staff-rostering/templates/cloud_watch_windows.json
@@ -74,10 +74,37 @@
           "Requests Queued",
           "Application Restarts"
         ]
-      }
+      },
+      "procstat": [
+        {
+          "exe": "ssm-agent",
+          "measurement": [
+            "cpu_time_system",
+            "cpu_time_user",
+            "memory_rss",
+            "num_threads",
+            "pid_count",
+            "pid",
+            "read_bytes",
+            "write_bytes"
+          ]
+        },
+        {
+          "exe": "amazon-cloudwatch-agent",
+          "measurement": [
+            "cpu_time_system",
+            "cpu_time_user",
+            "memory_rss",
+            "num_threads",
+            "pid_count",
+            "pid",
+            "read_bytes",
+            "write_bytes"
+          ]
+        }
+      ]
     },
     "append_dimensions": {
-      "ImageId": "${aws:ImageId}",
       "InstanceId": "${aws:InstanceId}",
       "AutoScalingGroupName": "${aws:AutoScalingGroupName}"
     },
diff --git a/terraform/environments/delius-core/locals_development.tf b/terraform/environments/delius-core/locals_development.tf
index 669de037804..b6fc300ba61 100644
--- a/terraform/environments/delius-core/locals_development.tf
+++ b/terraform/environments/delius-core/locals_development.tf
@@ -29,7 +29,7 @@ locals {
   }
 
   db_config_dev = {
-    instance_type  = "r6i.xlarge"
+    instance_type  = "r7i.large"
     ami_name_regex = "^delius_core_ol_8_5_oracle_db_19c_patch_2024-01-31T16-06-00.575Z"
 
     instance_policies = {
@@ -72,54 +72,6 @@ locals {
   }
 
   delius_microservices_configs_dev = {
-    gdpr_ui = {
-      image_tag      = "REPLACE"
-      container_port = 80
-    }
-
-    gdpr_api = {
-      image_tag                   = "REPLACE"
-      container_port              = 8080
-      create_rds                  = false
-      rds_engine                  = "postgres"
-      rds_engine_version          = "15"
-      rds_instance_class          = "db.t3.small"
-      rds_allocated_storage       = 30
-      rds_username                = "postgres"
-      rds_port                    = 5432
-      rds_license_model           = "postgresql-license"
-      rds_deletion_protection     = false
-      rds_skip_final_snapshot     = true
-      snapshot_identifier         = "rds-1187-shared-key-version"
-      rds_backup_retention_period = 1
-      maintenance_window          = "Wed:21:00-Wed:23:00"
-      rds_backup_window           = "19:00-21:00"
-    }
-
-    merge_api = {
-      container_port              = 8080
-      image_tag                   = "REPLACE"
-      create_rds                  = true
-      rds_engine                  = "postgres"
-      rds_engine_version          = "15"
-      rds_instance_class          = "db.t3.small"
-      rds_allocated_storage       = 30
-      rds_username                = "dbadmin"
-      rds_port                    = 5432
-      rds_license_model           = "postgresql-license"
-      rds_deletion_protection     = false
-      rds_skip_final_snapshot     = true
-      snapshot_identifier         = "rds-migration-1145-kms"
-      rds_backup_retention_period = 1
-      maintenance_window          = "Wed:21:00-Wed:23:00"
-      rds_backup_window           = "19:00-21:00"
-    }
-
-    merge_ui = {
-      image_tag      = "REPLACE"
-      container_port = 80
-    }
-
     weblogic = {
       image_tag        = "5.7.6"
       container_port   = 8080
@@ -134,17 +86,6 @@ locals {
       container_cpu    = 1024
     }
 
-    umt = {
-      image_tag                        = "dev"
-      container_port                   = 8080
-      container_memory                 = 4096
-      container_cpu                    = 1024
-      elasticache_version              = "6.2"
-      elasticache_node_type            = "cache.t3.small"
-      elasticache_port                 = 6379
-      elasticache_parameter_group_name = "default.redis6.x"
-    }
-
     pwm = {
       image_tag        = "8250538047-1"
       container_port   = 8080
diff --git a/terraform/environments/delius-core/locals_preproduction.tf b/terraform/environments/delius-core/locals_preproduction.tf
index cbb69d189a2..f8d822baa8b 100644
--- a/terraform/environments/delius-core/locals_preproduction.tf
+++ b/terraform/environments/delius-core/locals_preproduction.tf
@@ -9,7 +9,7 @@ locals {
     migration_environment_full_name        = "del-pre-prod"
     migration_environment_abbreviated_name = "del"
     migration_environment_short_name       = "pre-prod"
-    legacy_engineering_vpc_cidr            = "10.161.98.0/25"
+    legacy_engineering_vpc_cidr            = "10.160.98.0/25"
     ec2_user_ssh_key                       = file("${path.module}/files/.ssh/preprod/ec2-user.pub")
     homepage_path                          = "/"
   }
@@ -28,7 +28,7 @@ locals {
 
 
   db_config_preprod = {
-    instance_type  = "r6i.xlarge"
+    instance_type  = "r7i.4xlarge"
     ami_name_regex = "^delius_core_ol_8_5_oracle_db_19c_patch_2024-06-04T11-24-58.162Z"
     instance_policies = {
       "business_unit_kms_key_access" = aws_iam_policy.business_unit_kms_key_access
@@ -69,53 +69,6 @@ locals {
   }
 
   delius_microservices_configs_preprod = {
-    gdpr_ui = {
-      image_tag      = "REPLACE"
-      container_port = 80
-    }
-
-    gdpr_api = {
-      image_tag                   = "REPLACE"
-      container_port              = 8080
-      create_rds                  = false
-      rds_engine                  = "postgres"
-      rds_engine_version          = "15"
-      rds_instance_class          = "db.t3.small"
-      rds_allocated_storage       = 30
-      rds_username                = "postgres"
-      rds_port                    = 5432
-      rds_license_model           = "postgresql-license"
-      rds_deletion_protection     = false
-      rds_skip_final_snapshot     = true
-      snapshot_identifier         = "rds-1187-test-copy"
-      rds_backup_retention_period = 1
-      maintenance_window          = "Wed:21:00-Wed:23:00"
-      rds_backup_window           = "19:00-21:00"
-    }
-
-    merge_ui = {
-      image_tag      = "REPLACE"
-      container_port = 80
-    }
-
-    merge_api = {
-      image_tag                   = "REPLACE"
-      container_port              = 8080
-      create_rds                  = true
-      rds_engine                  = "postgres"
-      rds_engine_version          = "15"
-      rds_instance_class          = "db.t3.small"
-      rds_allocated_storage       = 20
-      rds_username                = "dbadmin"
-      rds_port                    = 5432
-      rds_license_model           = "postgresql-license"
-      rds_deletion_protection     = false
-      rds_skip_final_snapshot     = true
-      snapshot_identifier         = null
-      rds_backup_retention_period = 1
-      maintenance_window          = "Wed:21:00-Wed:23:00"
-      rds_backup_window           = "19:00-21:00"
-    }
 
     weblogic = {
       image_tag        = "5.7.6"
@@ -131,17 +84,6 @@ locals {
       container_cpu    = 1024
     }
 
-    umt = {
-      image_tag                        = "5.7.6"
-      container_port                   = 8080
-      container_memory                 = 4096
-      container_cpu                    = 1024
-      elasticache_version              = "6.2"
-      elasticache_node_type            = "cache.t3.small"
-      elasticache_port                 = 6379
-      elasticache_parameter_group_name = "default.redis6.x"
-    }
-
     pwm = {
       image_tag        = "8250538047-1"
       container_port   = 8080
diff --git a/terraform/environments/delius-core/locals_stage.tf b/terraform/environments/delius-core/locals_stage.tf
index 59f317d37ba..26f5623ab8d 100644
--- a/terraform/environments/delius-core/locals_stage.tf
+++ b/terraform/environments/delius-core/locals_stage.tf
@@ -9,7 +9,7 @@ locals {
     migration_environment_full_name        = "del-stage"
     migration_environment_abbreviated_name = "del"
     migration_environment_short_name       = "stage"
-    legacy_engineering_vpc_cidr            = "10.161.98.0/25"
+    legacy_engineering_vpc_cidr            = "10.160.98.0/25"
     ec2_user_ssh_key                       = file("${path.module}/files/.ssh/stage/ec2-user.pub")
     homepage_path                          = "/"
   }
@@ -28,7 +28,7 @@ locals {
 
 
   db_config_stage = {
-    instance_type  = "r6i.xlarge"
+    instance_type  = "r7i.2xlarge"
     ami_name_regex = "^delius_core_ol_8_5_oracle_db_19c_patch_2024-06-04T11-24-58.162Z"
     standby_count  = 0
 
@@ -71,54 +71,6 @@ locals {
   }
 
   delius_microservices_configs_stage = {
-    gdpr_ui = {
-      image_tag      = "REPLACE"
-      container_port = 80
-    }
-
-    gdpr_api = {
-      image_tag                   = "REPLACE"
-      container_port              = 8080
-      create_rds                  = false
-      rds_engine                  = "postgres"
-      rds_engine_version          = "15"
-      rds_instance_class          = "db.t3.small"
-      rds_allocated_storage       = 30
-      rds_username                = "postgres"
-      rds_port                    = 5432
-      rds_license_model           = "postgresql-license"
-      rds_deletion_protection     = false
-      rds_skip_final_snapshot     = true
-      snapshot_identifier         = "REPLACE"
-      rds_backup_retention_period = 1
-      maintenance_window          = "Wed:21:00-Wed:23:00"
-      rds_backup_window           = "19:00-21:00"
-    }
-
-    merge_ui = {
-      image_tag      = "REPLACE"
-      container_port = 80
-    }
-
-    merge_api = {
-      image_tag                   = "REPLACE"
-      container_port              = 8080
-      create_rds                  = true
-      rds_engine                  = "postgres"
-      rds_engine_version          = "15"
-      rds_instance_class          = "db.t3.small"
-      rds_allocated_storage       = 20
-      rds_username                = "dbadmin"
-      rds_port                    = 5432
-      rds_license_model           = "postgresql-license"
-      rds_deletion_protection     = false
-      rds_skip_final_snapshot     = true
-      snapshot_identifier         = null
-      rds_backup_retention_period = 1
-      maintenance_window          = "Wed:21:00-Wed:23:00"
-      rds_backup_window           = "19:00-21:00"
-    }
-
     weblogic = {
       image_tag        = "5.7.6"
       container_port   = 8080
@@ -133,17 +85,6 @@ locals {
       container_cpu    = 1024
     }
 
-    umt = {
-      image_tag                        = "5.7.6"
-      container_port                   = 8080
-      container_memory                 = 4096
-      container_cpu                    = 1024
-      elasticache_version              = "6.2"
-      elasticache_node_type            = "cache.t3.small"
-      elasticache_port                 = 6379
-      elasticache_parameter_group_name = "default.redis6.x"
-    }
-
     pwm = {
       image_tag        = "8250538047-1"
       container_port   = 8080
diff --git a/terraform/environments/delius-core/locals_test.tf b/terraform/environments/delius-core/locals_test.tf
index 4848378d695..edd5cd9a5d6 100644
--- a/terraform/environments/delius-core/locals_test.tf
+++ b/terraform/environments/delius-core/locals_test.tf
@@ -30,7 +30,7 @@ locals {
 
 
   db_config_test = {
-    instance_type  = "r6i.xlarge"
+    instance_type  = "r7i.xlarge"
     ami_name_regex = "^delius_core_ol_8_5_oracle_db_19c_patch_2024-01-31T16-06-00.575Z"
     instance_policies = {
       "business_unit_kms_key_access" = aws_iam_policy.business_unit_kms_key_access
@@ -71,54 +71,6 @@ locals {
   }
 
   delius_microservices_configs_test = {
-    gdpr_ui = {
-      image_tag      = "REPLACE"
-      container_port = 80
-    }
-
-    gdpr_api = {
-      image_tag                   = "REPLACE"
-      container_port              = 8080
-      create_rds                  = false
-      rds_engine                  = "postgres"
-      rds_engine_version          = "15"
-      rds_instance_class          = "db.t3.small"
-      rds_allocated_storage       = 30
-      rds_username                = "postgres"
-      rds_port                    = 5432
-      rds_license_model           = "postgresql-license"
-      rds_deletion_protection     = false
-      rds_skip_final_snapshot     = true
-      snapshot_identifier         = "rds-1187-test-copy"
-      rds_backup_retention_period = 1
-      maintenance_window          = "Wed:21:00-Wed:23:00"
-      rds_backup_window           = "19:00-21:00"
-    }
-
-    merge_ui = {
-      image_tag      = "REPLACE"
-      container_port = 80
-    }
-
-    merge_api = {
-      image_tag                   = "REPLACE"
-      container_port              = 8080
-      create_rds                  = true
-      rds_engine                  = "postgres"
-      rds_engine_version          = "15"
-      rds_instance_class          = "db.t3.small"
-      rds_allocated_storage       = 20
-      rds_username                = "dbadmin"
-      rds_port                    = 5432
-      rds_license_model           = "postgresql-license"
-      rds_deletion_protection     = false
-      rds_skip_final_snapshot     = true
-      snapshot_identifier         = null
-      rds_backup_retention_period = 1
-      maintenance_window          = "Wed:21:00-Wed:23:00"
-      rds_backup_window           = "19:00-21:00"
-    }
-
     weblogic = {
       image_tag        = "5.7.6"
       container_port   = 8080
@@ -133,17 +85,6 @@ locals {
       container_cpu    = 1024
     }
 
-    umt = {
-      image_tag                        = "5.7.6"
-      container_port                   = 8080
-      container_memory                 = 4096
-      container_cpu                    = 1024
-      elasticache_version              = "6.2"
-      elasticache_node_type            = "cache.t3.small"
-      elasticache_port                 = 6379
-      elasticache_parameter_group_name = "default.redis6.x"
-    }
-
     pwm = {
       image_tag        = "8250538047-1"
       container_port   = 8080
diff --git a/terraform/environments/delius-core/modules/components/ldap/dns.tf b/terraform/environments/delius-core/modules/components/ldap/dns.tf
index 496c22bccac..427d847aeec 100644
--- a/terraform/environments/delius-core/modules/components/ldap/dns.tf
+++ b/terraform/environments/delius-core/modules/components/ldap/dns.tf
@@ -2,7 +2,7 @@ resource "aws_route53_record" "external" {
   provider = aws.core-vpc
 
   zone_id = var.account_config.route53_external_zone.zone_id
-  name    = "ldap.${var.account_config.dns_suffix}"
+  name    = "ldap.${var.env_name}.${var.account_config.dns_suffix}"
   type    = "CNAME"
   ttl     = "60"
   records = [module.nlb.dns_name]
diff --git a/terraform/environments/delius-core/modules/components/ldap/ecs_monitoring.tf b/terraform/environments/delius-core/modules/components/ldap/ecs_monitoring.tf
index 8b7a25815bb..98ff6d114bd 100644
--- a/terraform/environments/delius-core/modules/components/ldap/ecs_monitoring.tf
+++ b/terraform/environments/delius-core/modules/components/ldap/ecs_monitoring.tf
@@ -72,11 +72,13 @@ resource "aws_cloudwatch_metric_alarm" "memory_over_threshold" {
     return_data = true
     expression  = "ANOMALY_DETECTION_BAND(m1, 20)"
   }
+
 }
 
 resource "aws_cloudwatch_log_metric_filter" "log_error_filter" {
-  name           = "ldap-${var.env_name}-error"
-  pattern        = "%err=[1-9][0-9]+%"
+  name    = "ldap-${var.env_name}-error"
+  pattern = "%${join("|", local.formatted_error_codes)}%"
+
   log_group_name = aws_cloudwatch_log_group.ldap_ecs.name
 
   metric_transformation {
@@ -93,7 +95,7 @@ resource "aws_cloudwatch_metric_alarm" "high_error_volume" {
   namespace           = "ldapMetrics"
   metric_name         = "ErrorCount"
   statistic           = "Sum"
-  period              = "300"
+  period              = "600"
   evaluation_periods  = "1"
   alarm_actions       = [var.sns_topic_arn]
   ok_actions          = [var.sns_topic_arn]
@@ -102,21 +104,6 @@ resource "aws_cloudwatch_metric_alarm" "high_error_volume" {
   comparison_operator = "GreaterThanThreshold"
 }
 
-resource "aws_cloudwatch_metric_alarm" "warning_error_volume" {
-  alarm_name          = "ldap-${var.env_name}-warning-error-count"
-  alarm_description   = "Triggers alarm if there are more than 5 errors in the last 2 minutes"
-  namespace           = "ldapMetrics"
-  metric_name         = "ErrorCount"
-  statistic           = "Sum"
-  period              = "120"
-  evaluation_periods  = "1"
-  alarm_actions       = [var.sns_topic_arn]
-  ok_actions          = [var.sns_topic_arn]
-  threshold           = "5"
-  treat_missing_data  = "missing"
-  comparison_operator = "GreaterThanThreshold"
-}
-
 resource "aws_cloudwatch_metric_alarm" "ecs_running_tasks_less_than_one" {
   alarm_name          = "ldap-${var.env_name}-no-running-tasks"
   actions_enabled     = true
diff --git a/terraform/environments/delius-core/modules/components/ldap/locals.tf b/terraform/environments/delius-core/modules/components/ldap/locals.tf
index 88f0470732f..d9d37c5aef5 100644
--- a/terraform/environments/delius-core/modules/components/ldap/locals.tf
+++ b/terraform/environments/delius-core/modules/components/ldap/locals.tf
@@ -13,4 +13,15 @@ locals {
   domain_type_sub    = [for k, v in local.domain_types : v.type if k != "modernisation-platform.service.justice.gov.uk"]
 
   certificate_arn = aws_acm_certificate.external.arn
-}
\ No newline at end of file
+
+  error_codes = [
+    1, 2, 3, 4, 5, 6, 7, 8, 10, 11, 12, 13, 14,
+    16, 17, 18, 19, 20, 21, 33, 34, 35, 36, 48, 49,
+    50, 51, 52, 53, 54, 60, 61, 64, 65, 66, 67, 68,
+    69, 70, 71, 76, 80, 81, 82, 83, 84, 85, 86, 87,
+    88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 100, 101,
+    112, 113, 114, 118, 119, 120, 121, 122, 123, 4096,
+    16654
+  ]
+  formatted_error_codes = [for error_code in local.error_codes : "err=${error_code}\\s"]
+}
diff --git a/terraform/environments/delius-core/modules/components/oracle_db_instance/locals.tf b/terraform/environments/delius-core/modules/components/oracle_db_instance/locals.tf
index 4d2554ed0ea..97685fd3d42 100644
--- a/terraform/environments/delius-core/modules/components/oracle_db_instance/locals.tf
+++ b/terraform/environments/delius-core/modules/components/oracle_db_instance/locals.tf
@@ -43,6 +43,21 @@ locals {
         alarm_actions       = [var.sns_topic_arn]
         ok_actions          = [var.sns_topic_arn]
       }
+      status-check-failed-attached-ebs = {
+        comparison_operator = "GreaterThanOrEqualToThreshold"
+        evaluation_periods  = "60"
+        datapoints_to_alarm = "1"
+        metric_name         = "StatusCheckFailed_AttachedEBS"
+        namespace           = "AWS/EC2"
+        period              = "60"
+        statistic           = "Maximum"
+        threshold           = "1"
+        datapoints_to_alarm = "10"
+        evaluation_periods  = "10"
+        alarm_description   = "Triggers if there has been a status check failure for attached EBS volumes within the last hour."
+        alarm_actions       = [var.sns_topic_arn]
+        ok_actions          = [var.sns_topic_arn]
+      }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/terraform/environments/delius-core/modules/components/oracle_db_shared/locals.tf b/terraform/environments/delius-core/modules/components/oracle_db_shared/locals.tf
index 8c4736d1f3e..d0c51065c35 100644
--- a/terraform/environments/delius-core/modules/components/oracle_db_shared/locals.tf
+++ b/terraform/environments/delius-core/modules/components/oracle_db_shared/locals.tf
@@ -23,12 +23,12 @@ locals {
       "source_environment" = "dev"
     },
     "stage" = {
-      "target_account_id"  = var.platform_vars.environment_management.account_ids["delius-core-production"]
-      "target_environment" = "prod"
+      # "target_account_id"  = var.platform_vars.environment_management.account_ids["delius-core-production"]
+      # "target_environment" = "prod"
     },
     "preprod" = {
-      "target_account_id"  = var.platform_vars.environment_management.account_ids["delius-core-production"]
-      "target_environment" = "prod"
+      # "target_account_id"  = var.platform_vars.environment_management.account_ids["delius-core-production"]
+      # "target_environment" = "prod"
     },
     #     "prod" = {
     #       "source_account_id"  = var.platform_vars.environment_management.account_ids["delius-core-preproduction"]
diff --git a/terraform/environments/delius-core/modules/delius_environment/gdpr_api_service.tf b/terraform/environments/delius-core/modules/delius_environment/gdpr_api_service.tf
deleted file mode 100644
index 788331ef7c4..00000000000
--- a/terraform/environments/delius-core/modules/delius_environment/gdpr_api_service.tf
+++ /dev/null
@@ -1,101 +0,0 @@
-module "gdpr_api_service" {
-  source = "../helpers/delius_microservice"
-
-  name                  = "gdpr-api"
-  certificate_arn       = local.certificate_arn
-  alb_security_group_id = aws_security_group.delius_frontend_alb_security_group.id
-  env_name              = var.env_name
-  container_port_config = [
-    {
-      containerPort = var.delius_microservice_configs.gdpr_api.container_port
-      protocol      = "tcp"
-  }]
-  ecs_cluster_arn = module.ecs.ecs_cluster_arn
-  container_secrets_default = {
-    "SPRING_DATASOURCE_PASSWORD" : aws_ssm_parameter.delius_core_gdpr_db_admin_password.arn,
-    "SPRING_SECOND-DATASOURCE_PASSWORD" : aws_ssm_parameter.delius_core_gdpr_db_pool_password.arn,
-    "SECURITY_OAUTH2_CLIENT_CLIENT-SECRET" : aws_ssm_parameter.delius_core_gdpr_api_client_secret.arn
-  }
-
-  desired_count = 0
-
-  container_secrets_env_specific = try(var.delius_microservice_configs.gdpr_api.container_secrets_env_specific, {})
-
-  db_ingress_security_groups = []
-  cluster_security_group_id  = aws_security_group.cluster.id
-
-  bastion_sg_id                      = module.bastion_linux.bastion_security_group
-  tags                               = var.tags
-  microservice_lb                    = aws_lb.delius_core_frontend
-  microservice_lb_https_listener_arn = aws_lb_listener.listener_https.arn
-  alb_listener_rule_paths            = ["/gdpr/api", "/gdpr/api/*"]
-
-  platform_vars     = var.platform_vars
-  container_image   = "${var.platform_vars.environment_management.account_ids["core-shared-services-production"]}.dkr.ecr.eu-west-2.amazonaws.com/delius-core-gdpr-api-ecr-repo:${var.delius_microservice_configs.gdpr_api.image_tag}"
-  account_config    = var.account_config
-  health_check_path = "/gdpr/api/actuator/health"
-  account_info      = var.account_info
-
-  create_rds                  = var.delius_microservice_configs.gdpr_api.create_rds
-  rds_engine                  = var.delius_microservice_configs.gdpr_api.rds_engine
-  rds_engine_version          = var.delius_microservice_configs.gdpr_api.rds_engine_version
-  rds_instance_class          = var.delius_microservice_configs.gdpr_api.rds_instance_class
-  rds_port                    = var.delius_microservice_configs.gdpr_api.rds_port
-  rds_allocated_storage       = var.delius_microservice_configs.gdpr_api.rds_allocated_storage
-  rds_username                = var.delius_microservice_configs.gdpr_api.rds_username
-  rds_license_model           = var.delius_microservice_configs.gdpr_api.rds_license_model
-  maintenance_window          = var.delius_microservice_configs.gdpr_api.maintenance_window
-  rds_backup_retention_period = var.delius_microservice_configs.gdpr_api.rds_backup_retention_period
-  rds_backup_window           = var.delius_microservice_configs.gdpr_api.rds_backup_window
-  rds_deletion_protection     = var.delius_microservice_configs.gdpr_api.rds_deletion_protection
-  snapshot_identifier         = data.aws_ssm_parameter.gdpr_api_snapshot_identifier.value
-  rds_skip_final_snapshot     = var.delius_microservice_configs.gdpr_api.rds_skip_final_snapshot
-
-  container_vars_default = {
-    "SERVER_SERVLET_CONTEXT_PATH" : "/gdpr/api/",
-    "SPRING_DATASOURCE_DRIVER_CLASS_NAME" : "org.postgresql.Driver",
-    "SPRING_SECOND_DATASOURCE_USERNAME" : "gdpr_pool",
-    "SPRING_SECOND_DATASOURCE_TYPE" : "oracle.jdbc.pool.OracleDataSource",
-    "SPRING_JPA_HIBERNATE_DDL_AUTO" : "update",
-    "SPRING_BATCH_JOB_ENABLED" : "false",
-    "SPRING_BATCH_INITIALIZE_SCHEMA" : "always",
-    "ALFRESCO_DMS_PROTOCOL" : "https",
-    "SECURITY_OAUTH2_RESOURCE_ID" : "NDelius",
-    "SECURITY_OAUTH2_CLIENT_CLIENT_ID" : "GDPR-API",
-    "SECURITY_OAUTH2_RESOURCE_TOKEN_INFO_URI" : "http://usermanagement.ecs.cluster:8080/umt/oauth/check_token",
-    "SPRING_FLYWAY_ENABLED" : "true",
-    "SPRING_FLYWAY_LOCATIONS" : "classpath:/db"
-  }
-
-  container_vars_env_specific = try(var.delius_microservice_configs.gdpr_api.container_vars_env_specific, {})
-
-
-  ignore_changes_service_task_definition = true
-
-  providers = {
-    aws.core-vpc              = aws.core-vpc
-    aws.core-network-services = aws.core-network-services
-  }
-
-  log_error_pattern       = "ERROR"
-  sns_topic_arn           = aws_sns_topic.delius_core_alarms.arn
-  frontend_lb_arn_suffix  = aws_lb.delius_core_frontend.arn_suffix
-  enable_platform_backups = var.enable_platform_backups
-}
-
-#######################
-#   GDPR API Params   #
-#######################
-
-resource "aws_ssm_parameter" "gpdr_api_snapshot_identifier" {
-  name  = "/delius-core-${var.env_name}/gdpr-api/snapshot_id"
-  type  = "String"
-  value = "DEFAULT"
-  lifecycle {
-    ignore_changes = [value]
-  }
-}
-
-data "aws_ssm_parameter" "gdpr_api_snapshot_identifier" {
-  name = aws_ssm_parameter.gpdr_api_snapshot_identifier.name
-}
diff --git a/terraform/environments/delius-core/modules/delius_environment/gdpr_ui_service.tf b/terraform/environments/delius-core/modules/delius_environment/gdpr_ui_service.tf
deleted file mode 100644
index 88c9f58fdf9..00000000000
--- a/terraform/environments/delius-core/modules/delius_environment/gdpr_ui_service.tf
+++ /dev/null
@@ -1,50 +0,0 @@
-module "gdpr_ui_service" {
-  source = "../helpers/delius_microservice"
-
-  name                  = "gdpr-ui"
-  certificate_arn       = local.certificate_arn
-  alb_security_group_id = aws_security_group.delius_frontend_alb_security_group.id
-  env_name              = var.env_name
-
-  container_vars_default      = {}
-  container_vars_env_specific = try(var.delius_microservice_configs.gdpr_ui.container_vars_env_specific, {})
-
-  container_secrets_default      = {}
-  container_secrets_env_specific = try(var.delius_microservice_configs.gdpr_ui.container_secrets_env_specific, {})
-
-  desired_count = 0
-
-  container_port_config = [
-    {
-      containerPort = var.delius_microservice_configs.gdpr_ui.container_port
-      protocol      = "tcp"
-    }
-  ]
-  ecs_cluster_arn            = module.ecs.ecs_cluster_arn
-  db_ingress_security_groups = []
-  cluster_security_group_id  = aws_security_group.cluster.id
-
-  bastion_sg_id                      = module.bastion_linux.bastion_security_group
-  tags                               = var.tags
-  microservice_lb                    = aws_lb.delius_core_frontend
-  microservice_lb_https_listener_arn = aws_lb_listener.listener_https.arn
-
-  alb_listener_rule_paths = ["/gdpr/ui", "/gdpr/ui/*"]
-  platform_vars           = var.platform_vars
-  container_image         = "${var.platform_vars.environment_management.account_ids["core-shared-services-production"]}.dkr.ecr.eu-west-2.amazonaws.com/delius-core-gdpr-ui-ecr-repo:${var.delius_microservice_configs.gdpr_ui.image_tag}"
-  account_config          = var.account_config
-  health_check_path       = "/gdpr/ui/homepage"
-  account_info            = var.account_info
-
-  ignore_changes_service_task_definition = true
-
-  providers = {
-    aws.core-vpc              = aws.core-vpc
-    aws.core-network-services = aws.core-network-services
-  }
-
-  log_error_pattern       = "ERROR"
-  sns_topic_arn           = aws_sns_topic.delius_core_alarms.arn
-  frontend_lb_arn_suffix  = aws_lb.delius_core_frontend.arn_suffix
-  enable_platform_backups = var.enable_platform_backups
-}
diff --git a/terraform/environments/delius-core/modules/delius_environment/merge_api_service.tf b/terraform/environments/delius-core/modules/delius_environment/merge_api_service.tf
deleted file mode 100644
index 54e11148895..00000000000
--- a/terraform/environments/delius-core/modules/delius_environment/merge_api_service.tf
+++ /dev/null
@@ -1,100 +0,0 @@
-module "merge_api_service" {
-  source                = "../helpers/delius_microservice"
-  name                  = "merge-api"
-  certificate_arn       = local.certificate_arn
-  alb_security_group_id = aws_security_group.delius_frontend_alb_security_group.id
-  env_name              = var.env_name
-  container_port_config = [
-    {
-      containerPort = var.delius_microservice_configs.merge_api.container_port
-      protocol      = "tcp"
-    }
-  ]
-  ecs_cluster_arn = module.ecs.ecs_cluster_arn
-
-  desired_count = 0
-
-  db_ingress_security_groups = []
-  cluster_security_group_id  = aws_security_group.cluster.id
-
-  bastion_sg_id                      = module.bastion_linux.bastion_security_group
-  tags                               = var.tags
-  microservice_lb                    = aws_lb.delius_core_frontend
-  microservice_lb_https_listener_arn = aws_lb_listener.listener_https.arn
-
-  alb_listener_rule_paths = ["/merge/api", "/merge/api/*"]
-  platform_vars           = var.platform_vars
-  container_image         = "${var.platform_vars.environment_management.account_ids["core-shared-services-production"]}.dkr.ecr.eu-west-2.amazonaws.com/delius-core-merge-api-ecr-repo:${var.delius_microservice_configs.merge_api.image_tag}"
-  account_config          = var.account_config
-  health_check_path       = "/merge/api/actuator/health"
-  account_info            = var.account_info
-
-  create_rds                  = var.delius_microservice_configs.merge_api.create_rds
-  rds_engine                  = var.delius_microservice_configs.merge_api.rds_engine
-  rds_engine_version          = var.delius_microservice_configs.merge_api.rds_engine_version
-  rds_instance_class          = var.delius_microservice_configs.merge_api.rds_instance_class
-  rds_port                    = var.delius_microservice_configs.merge_api.rds_port
-  rds_allocated_storage       = var.delius_microservice_configs.merge_api.rds_allocated_storage
-  rds_username                = var.delius_microservice_configs.merge_api.rds_username
-  rds_license_model           = var.delius_microservice_configs.merge_api.rds_license_model
-  rds_deletion_protection     = var.delius_microservice_configs.merge_api.rds_deletion_protection
-  snapshot_identifier         = data.aws_ssm_parameter.merge_api_snapshot_identifier.value
-  rds_skip_final_snapshot     = var.delius_microservice_configs.merge_api.rds_skip_final_snapshot
-  maintenance_window          = var.delius_microservice_configs.merge_api.maintenance_window
-  rds_backup_retention_period = var.delius_microservice_configs.merge_api.rds_backup_retention_period
-  rds_backup_window           = var.delius_microservice_configs.merge_api.rds_backup_window
-
-  container_vars_default = {
-    "SERVER_SERVLET_CONTEXT_PATH" : "/merge/api/",
-    "SPRING_DATASOURCE_DRIVER_CLASS_NAME" : "org.postgresql.Driver",
-    "SPRING_SECOND_DATASOURCE_USERNAME" : "mms_pool",
-    "SPRING_SECOND_DATASOURCE_TYPE" : "oracle.jdbc.pool.OracleDataSource",
-    "SPRING_JPA_HIBERNATE_DDL_AUTO" : "update",
-    "SPRING_BATCH_JOB_ENABLED" : "false",
-    "SPRING_BATCH_INITIALIZE_SCHEMA" : "always",
-    "ALFRESCO_DMS_PROTOCOL" : "https",
-    "SECURITY_OAUTH2_RESOURCE_ID" : "NDelius",
-    "SPRING_SECURITY_OAUTH2_RESOURCESERVER_OPAQUE_TOKEN_CLIENT_ID" : "Merge-API",
-    "SPRING_SECURITY_OAUTH2_RESOURCESERVER_OPAQUE_TOKEN_INTROSPECTION_URI" : "http://usermanagement.ecs.cluster:8080/umt/oauth/check_token"
-  }
-
-  container_vars_env_specific = try(var.delius_microservice_configs.merge_api.container_vars_env_specific, {})
-
-  container_secrets_default = {
-    "SPRING_DATASOURCE_PASSWORD" : aws_ssm_parameter.delius_core_merge_db_admin_password.arn,
-    "SPRING_SECOND-DATASOURCE_PASSWORD" : aws_ssm_parameter.delius_core_merge_db_pool_password.arn,
-    "SPRING_SECURITY_OAUTH2_RESOURCESERVER_OPAQUE-TOKEN_CLIENT-SECRET" : aws_ssm_parameter.delius_core_merge_api_client_secret.arn
-  }
-
-  container_secrets_env_specific = try(var.delius_microservice_configs.merge_api.container_secrets_env_specific, {})
-
-
-  ignore_changes_service_task_definition = true
-
-  providers = {
-    aws.core-vpc              = aws.core-vpc
-    aws.core-network-services = aws.core-network-services
-  }
-
-  log_error_pattern       = "ERROR"
-  sns_topic_arn           = aws_sns_topic.delius_core_alarms.arn
-  frontend_lb_arn_suffix  = aws_lb.delius_core_frontend.arn_suffix
-  enable_platform_backups = var.enable_platform_backups
-}
-
-#######################
-#   Merge API Params  #
-#######################
-
-resource "aws_ssm_parameter" "merge_api_snapshot_identifier" {
-  name  = "/delius-core-${var.env_name}/merge-api/snapshot_id"
-  type  = "String"
-  value = "DEFAULT"
-  lifecycle {
-    ignore_changes = [value]
-  }
-}
-
-data "aws_ssm_parameter" "merge_api_snapshot_identifier" {
-  name = aws_ssm_parameter.merge_api_snapshot_identifier.name
-}
diff --git a/terraform/environments/delius-core/modules/delius_environment/merge_ui_service.tf b/terraform/environments/delius-core/modules/delius_environment/merge_ui_service.tf
deleted file mode 100644
index 1d28923b400..00000000000
--- a/terraform/environments/delius-core/modules/delius_environment/merge_ui_service.tf
+++ /dev/null
@@ -1,51 +0,0 @@
-module "merge_ui_service" {
-  source = "../helpers/delius_microservice"
-
-  name                  = "merge-ui"
-  certificate_arn       = local.certificate_arn
-  alb_security_group_id = aws_security_group.delius_frontend_alb_security_group.id
-  env_name              = var.env_name
-
-  container_vars_default      = {}
-  container_vars_env_specific = try(var.delius_microservice_configs.merge_ui.container_vars_env_specific, {})
-
-  container_secrets_default      = {}
-  container_secrets_env_specific = try(var.delius_microservice_configs.merge_ui.container_secrets_env_specific, {})
-
-  desired_count = 0
-
-  container_port_config = [
-    {
-      containerPort = var.delius_microservice_configs.merge_ui.container_port
-      protocol      = "tcp"
-    }
-  ]
-
-  ecs_cluster_arn            = module.ecs.ecs_cluster_arn
-  db_ingress_security_groups = []
-  cluster_security_group_id  = aws_security_group.cluster.id
-
-  bastion_sg_id                      = module.bastion_linux.bastion_security_group
-  tags                               = var.tags
-  microservice_lb                    = aws_lb.delius_core_frontend
-  microservice_lb_https_listener_arn = aws_lb_listener.listener_https.arn
-
-  alb_listener_rule_paths = ["/merge/ui", "/merge/ui/*"]
-  platform_vars           = var.platform_vars
-  container_image         = "${var.platform_vars.environment_management.account_ids["core-shared-services-production"]}.dkr.ecr.eu-west-2.amazonaws.com/delius-core-merge-ui-ecr-repo:${var.delius_microservice_configs.merge_ui.image_tag}"
-  account_config          = var.account_config
-  health_check_path       = "/merge/ui/"
-  account_info            = var.account_info
-
-  ignore_changes_service_task_definition = true
-
-  providers = {
-    aws.core-vpc              = aws.core-vpc
-    aws.core-network-services = aws.core-network-services
-  }
-
-  log_error_pattern       = "ERROR"
-  sns_topic_arn           = aws_sns_topic.delius_core_alarms.arn
-  frontend_lb_arn_suffix  = aws_lb.delius_core_frontend.arn_suffix
-  enable_platform_backups = var.enable_platform_backups
-}
diff --git a/terraform/environments/delius-core/modules/delius_environment/newtech.tf b/terraform/environments/delius-core/modules/delius_environment/newtech.tf
index c3bdd49b55b..89a086266ca 100644
--- a/terraform/environments/delius-core/modules/delius_environment/newtech.tf
+++ b/terraform/environments/delius-core/modules/delius_environment/newtech.tf
@@ -1,54 +1,54 @@
-module "newtech" {
-  source = "../helpers/delius_microservice"
+# module "newtech" {
+#   source = "../helpers/delius_microservice"
 
-  name                  = "newtech"
-  certificate_arn       = local.certificate_arn
-  alb_security_group_id = aws_security_group.delius_frontend_alb_security_group.id
-  env_name              = var.env_name
+#   name                  = "newtech"
+#   certificate_arn       = local.certificate_arn
+#   alb_security_group_id = aws_security_group.delius_frontend_alb_security_group.id
+#   env_name              = var.env_name
 
-  container_vars_default      = {}
-  container_vars_env_specific = try(var.delius_microservice_configs.newtech.container_vars_env_specific, {})
+#   container_vars_default      = {}
+#   container_vars_env_specific = try(var.delius_microservice_configs.newtech.container_vars_env_specific, {})
 
-  container_secrets_default      = {}
-  container_secrets_env_specific = try(var.delius_microservice_configs.newtech.container_secrets_env_specific, {})
+#   container_secrets_default      = {}
+#   container_secrets_env_specific = try(var.delius_microservice_configs.newtech.container_secrets_env_specific, {})
 
-  desired_count = 0
+#   desired_count = 0
 
-  container_port_config = [
-    {
-      containerPort = var.delius_microservice_configs.newtech.container_port
-      protocol      = "tcp"
-    }
-  ]
+#   container_port_config = [
+#     {
+#       containerPort = var.delius_microservice_configs.newtech.container_port
+#       protocol      = "tcp"
+#     }
+#   ]
 
-  ecs_cluster_arn            = module.ecs.ecs_cluster_arn
-  db_ingress_security_groups = []
-  cluster_security_group_id  = aws_security_group.cluster.id
+#   ecs_cluster_arn            = module.ecs.ecs_cluster_arn
+#   db_ingress_security_groups = []
+#   cluster_security_group_id  = aws_security_group.cluster.id
 
-  bastion_sg_id                      = module.bastion_linux.bastion_security_group
-  tags                               = var.tags
-  microservice_lb                    = aws_lb.delius_core_frontend
-  microservice_lb_https_listener_arn = aws_lb_listener.listener_https.arn
+#   bastion_sg_id                      = module.bastion_linux.bastion_security_group
+#   tags                               = var.tags
+#   microservice_lb                    = aws_lb.delius_core_frontend
+#   microservice_lb_https_listener_arn = aws_lb_listener.listener_https.arn
 
-  alb_listener_rule_paths = ["/newtech", "/newtech/*"]
-  platform_vars           = var.platform_vars
-  container_image         = "${var.platform_vars.environment_management.account_ids["core-shared-services-production"]}.dkr.ecr.eu-west-2.amazonaws.com/delius-core-new-tech-web:${var.delius_microservice_configs.newtech.image_tag}"
-  account_config          = var.account_config
-  health_check_path       = "/newtech"
-  account_info            = var.account_info
+#   alb_listener_rule_paths = ["/newtech", "/newtech/*"]
+#   platform_vars           = var.platform_vars
+#   container_image         = "${var.platform_vars.environment_management.account_ids["core-shared-services-production"]}.dkr.ecr.eu-west-2.amazonaws.com/delius-core-new-tech-web:${var.delius_microservice_configs.newtech.image_tag}"
+#   account_config          = var.account_config
+#   health_check_path       = "/newtech"
+#   account_info            = var.account_info
 
-  ignore_changes_service_task_definition = false
+#   ignore_changes_service_task_definition = false
 
-  providers = {
-    aws.core-vpc              = aws.core-vpc
-    aws.core-network-services = aws.core-network-services
-  }
+#   providers = {
+#     aws.core-vpc              = aws.core-vpc
+#     aws.core-network-services = aws.core-network-services
+#   }
 
-  log_error_pattern       = "ERROR"
-  sns_topic_arn           = aws_sns_topic.delius_core_alarms.arn
-  frontend_lb_arn_suffix  = aws_lb.delius_core_frontend.arn_suffix
-  enable_platform_backups = var.enable_platform_backups
-}
+#   log_error_pattern       = "ERROR"
+#   sns_topic_arn           = aws_sns_topic.delius_core_alarms.arn
+#   frontend_lb_arn_suffix  = aws_lb.delius_core_frontend.arn_suffix
+#   enable_platform_backups = var.enable_platform_backups
+# }
 
 resource "aws_ssm_parameter" "pdfcreation_secret" {
   name  = "/${var.env_name}/delius/newtech/web/params_secret_key"
diff --git a/terraform/environments/delius-core/modules/delius_environment/pdfcreation.tf b/terraform/environments/delius-core/modules/delius_environment/pdfcreation.tf
index b12f23be080..c22fc08b2a0 100644
--- a/terraform/environments/delius-core/modules/delius_environment/pdfcreation.tf
+++ b/terraform/environments/delius-core/modules/delius_environment/pdfcreation.tf
@@ -1,65 +1,65 @@
-module "pdf_creation" {
-  source = "../helpers/delius_microservice"
+# module "pdf_creation" {
+#   source = "../helpers/delius_microservice"
 
-  name                  = "pdf-creation"
-  certificate_arn       = local.certificate_arn
-  alb_security_group_id = aws_security_group.delius_frontend_alb_security_group.id
-  env_name              = var.env_name
+#   name                  = "pdf-creation"
+#   certificate_arn       = local.certificate_arn
+#   alb_security_group_id = aws_security_group.delius_frontend_alb_security_group.id
+#   env_name              = var.env_name
 
-  target_group_protocol_version = "HTTP1"
+#   target_group_protocol_version = "HTTP1"
 
-  health_check = {
-    command = [
-      "CMD-SHELL",
-      "health=$(curl -sf http://localhost:8080/healthcheck || exit 1) && echo $health | jq -e '.status == \"OK\"'"
-    ]
-    interval    = 30
-    timeout     = 5
-    retries     = 2
-    startPeriod = 30
-  }
+#   health_check = {
+#     command = [
+#       "CMD-SHELL",
+#       "health=$(curl -sf http://localhost:8080/healthcheck || exit 1) && echo $health | jq -e '.status == \"OK\"'"
+#     ]
+#     interval    = 30
+#     timeout     = 5
+#     retries     = 2
+#     startPeriod = 30
+#   }
 
-  container_port_config = [
-    {
-      containerPort = var.delius_microservice_configs.pdf_creation.container_port
-      protocol      = "tcp"
-    }
-  ]
+#   container_port_config = [
+#     {
+#       containerPort = var.delius_microservice_configs.pdf_creation.container_port
+#       protocol      = "tcp"
+#     }
+#   ]
 
-  container_vars_default      = {}
-  container_vars_env_specific = try(var.delius_microservice_configs.pdf_creation.container_vars_env_specific, {})
+#   container_vars_default      = {}
+#   container_vars_env_specific = try(var.delius_microservice_configs.pdf_creation.container_vars_env_specific, {})
 
-  container_secrets_default = {
-    #  JAVA_TOOL_OPTIONS = module.ssm_params_pdf_creation.arn_map["JAVA_TOOL_OPTIONS"]
-  }
-  container_secrets_env_specific = try(var.delius_microservice_configs.pdf_creation.container_secrets_env_specific, {})
+#   container_secrets_default = {
+#     #  JAVA_TOOL_OPTIONS = module.ssm_params_pdf_creation.arn_map["JAVA_TOOL_OPTIONS"]
+#   }
+#   container_secrets_env_specific = try(var.delius_microservice_configs.pdf_creation.container_secrets_env_specific, {})
 
-  desired_count = 1
+#   desired_count = 1
 
-  ecs_cluster_arn            = module.ecs.ecs_cluster_arn
-  db_ingress_security_groups = []
-  cluster_security_group_id  = aws_security_group.cluster.id
+#   ecs_cluster_arn            = module.ecs.ecs_cluster_arn
+#   db_ingress_security_groups = []
+#   cluster_security_group_id  = aws_security_group.cluster.id
 
-  bastion_sg_id = module.bastion_linux.bastion_security_group
-  tags          = var.tags
+#   bastion_sg_id = module.bastion_linux.bastion_security_group
+#   tags          = var.tags
 
-  platform_vars   = var.platform_vars
-  container_image = "${var.platform_vars.environment_management.account_ids["core-shared-services-production"]}.dkr.ecr.eu-west-2.amazonaws.com/delius-core-new-tech-pdfgenerator:${var.delius_microservice_configs.pdf_creation.image_tag}"
-  account_config  = var.account_config
-  account_info    = var.account_info
+#   platform_vars   = var.platform_vars
+#   container_image = "${var.platform_vars.environment_management.account_ids["core-shared-services-production"]}.dkr.ecr.eu-west-2.amazonaws.com/delius-core-new-tech-pdfgenerator:${var.delius_microservice_configs.pdf_creation.image_tag}"
+#   account_config  = var.account_config
+#   account_info    = var.account_info
 
-  ignore_changes_service_task_definition = false
+#   ignore_changes_service_task_definition = false
 
-  providers = {
-    aws.core-vpc              = aws.core-vpc
-    aws.core-network-services = aws.core-network-services
-  }
+#   providers = {
+#     aws.core-vpc              = aws.core-vpc
+#     aws.core-network-services = aws.core-network-services
+#   }
 
-  log_error_pattern       = "ERROR"
-  sns_topic_arn           = aws_sns_topic.delius_core_alarms.arn
-  frontend_lb_arn_suffix  = aws_lb.delius_core_frontend.arn_suffix
-  enable_platform_backups = var.enable_platform_backups
-}
+#   log_error_pattern       = "ERROR"
+#   sns_topic_arn           = aws_sns_topic.delius_core_alarms.arn
+#   frontend_lb_arn_suffix  = aws_lb.delius_core_frontend.arn_suffix
+#   enable_platform_backups = var.enable_platform_backups
+# }
 
 module "ssm_params_pdf_creation" {
   source           = "../helpers/ssm_params"
diff --git a/terraform/environments/delius-core/modules/delius_environment/umt.tf b/terraform/environments/delius-core/modules/delius_environment/umt.tf
deleted file mode 100644
index d0b202a95ac..00000000000
--- a/terraform/environments/delius-core/modules/delius_environment/umt.tf
+++ /dev/null
@@ -1,119 +0,0 @@
-module "umt" {
-  source                = "../helpers/delius_microservice"
-  account_config        = var.account_config
-  account_info          = var.account_info
-  alb_security_group_id = aws_security_group.delius_frontend_alb_security_group.id
-  certificate_arn       = aws_acm_certificate.external.arn
-
-  container_vars_default      = {}
-  container_vars_env_specific = try(var.delius_microservice_configs.umt.container_vars_env_specific, {})
-
-  container_secrets_default      = {}
-  container_secrets_env_specific = try(var.delius_microservice_configs.umt.container_secrets_env_specific, {})
-
-  desired_count = 0
-
-  container_port_config = [
-    {
-      containerPort = var.delius_microservice_configs.umt.container_port
-      protocol      = "tcp"
-    }
-  ]
-
-  name     = "umt"
-  env_name = var.env_name
-
-  ecs_cluster_arn  = module.ecs.ecs_cluster_arn
-  container_memory = var.delius_microservice_configs.umt.container_memory
-  container_cpu    = var.delius_microservice_configs.umt.container_cpu
-
-  health_check_path                 = "/umt/actuator/health"
-  health_check_grace_period_seconds = 600
-  health_check_interval             = 30
-  target_group_protocol_version     = "HTTP1"
-
-  db_ingress_security_groups = []
-  ecs_service_egress_security_group_ids = [
-    {
-      ip_protocol = "tcp"
-      port        = 389
-      cidr_ipv4   = var.account_config.shared_vpc_cidr
-    },
-    {
-      ip_protocol = "tcp"
-      port        = 1521
-      cidr_ipv4   = var.environment_config.migration_environment_db_cidr[0]
-    },
-    {
-      ip_protocol = "tcp"
-      port        = 1521
-      cidr_ipv4   = var.environment_config.migration_environment_db_cidr[1]
-    },
-    {
-      ip_protocol = "tcp"
-      port        = 1521
-      cidr_ipv4   = var.environment_config.migration_environment_db_cidr[2]
-    },
-  ]
-
-  cluster_security_group_id = aws_security_group.cluster.id
-
-  bastion_sg_id = module.bastion_linux.bastion_security_group
-
-  create_elasticache               = true
-  elasticache_engine               = "redis"
-  elasticache_engine_version       = var.delius_microservice_configs.umt.elasticache_version
-  elasticache_node_type            = var.delius_microservice_configs.umt.elasticache_node_type
-  elasticache_port                 = 6379
-  elasticache_parameter_group_name = var.delius_microservice_configs.umt.elasticache_parameter_group_name
-  elasticache_apply_immediately    = true
-  elasticache_parameters = {
-    "notify-keyspace-events" = "eA" # We need to turn on 'notify-keyspace-events' to support Spring Redis session expiration. See https://github.com/spring-projects/spring-session/issues/124
-    "cluster-enabled"        = "yes"
-  }
-
-
-  microservice_lb                    = aws_lb.delius_core_frontend
-  microservice_lb_https_listener_arn = aws_lb_listener.listener_https.arn
-  alb_listener_rule_paths            = ["/umt"]
-
-  container_image = "${var.platform_vars.environment_management.account_ids["core-shared-services-production"]}.dkr.ecr.eu-west-2.amazonaws.com/delius-core-user-management:${var.delius_microservice_configs.umt.image_tag}"
-
-  platform_vars = var.platform_vars
-  tags          = var.tags
-
-  ignore_changes_service_task_definition = true
-
-  providers = {
-    aws.core-vpc              = aws.core-vpc
-    aws.core-network-services = aws.core-network-services
-  }
-
-  log_error_pattern       = "ERROR"
-  sns_topic_arn           = aws_sns_topic.delius_core_alarms.arn
-  frontend_lb_arn_suffix  = aws_lb.delius_core_frontend.arn_suffix
-  enable_platform_backups = var.enable_platform_backups
-}
-
-resource "aws_ssm_parameter" "elasticache_host" {
-  name        = format("/%s-%s/umt/elasticache/host", var.account_info.application_name, var.env_name)
-  description = "UMT ElastiCache Host"
-  type        = "SecureString"
-  value       = module.umt.elasticache_endpoint
-}
-
-resource "aws_ssm_parameter" "elasticache_port" {
-  name        = format("/%s-%s/umt/elasticache/port", var.account_info.application_name, var.env_name)
-  description = "UMT ElastiCache Port"
-  type        = "SecureString"
-  value       = module.umt.elasticache_port
-}
-
-resource "aws_vpc_security_group_egress_rule" "alb_to_umt" {
-  security_group_id            = aws_security_group.delius_frontend_alb_security_group.id
-  description                  = "load balancer to umt ecs service"
-  from_port                    = "8080"
-  to_port                      = "8080"
-  ip_protocol                  = "tcp"
-  referenced_security_group_id = module.umt.service_security_group_id
-}
diff --git a/terraform/environments/delius-core/modules/delius_environment/weblogic_eis.tf b/terraform/environments/delius-core/modules/delius_environment/weblogic_eis.tf
index 8f9146fa88d..17fdf668f64 100644
--- a/terraform/environments/delius-core/modules/delius_environment/weblogic_eis.tf
+++ b/terraform/environments/delius-core/modules/delius_environment/weblogic_eis.tf
@@ -79,6 +79,7 @@ module "weblogic_eis" {
   microservice_lb                    = aws_lb.delius_core_frontend
   microservice_lb_https_listener_arn = aws_lb_listener.listener_https.arn
   alb_listener_rule_paths            = ["/eis"]
+  alb_listener_rule_priority         = 4
 
   container_image = "${var.platform_vars.environment_management.account_ids["core-shared-services-production"]}.dkr.ecr.eu-west-2.amazonaws.com/delius-core-weblogic-eis-ecr-repo:${var.delius_microservice_configs.weblogic_eis.image_tag}"
 
diff --git a/terraform/environments/delius-core/modules/helpers/delius_microservice/rds.tf b/terraform/environments/delius-core/modules/helpers/delius_microservice/rds.tf
index 8f753f574f0..90e14644b86 100644
--- a/terraform/environments/delius-core/modules/helpers/delius_microservice/rds.tf
+++ b/terraform/environments/delius-core/modules/helpers/delius_microservice/rds.tf
@@ -124,7 +124,6 @@ resource "aws_iam_role_policy_attachment" "rds_enhanced_monitoring" {
 
 data "aws_iam_policy_document" "rds_enhanced_monitoring" {
   count = var.create_rds ? 1 : (var.rds_monitoring_interval != null || var.rds_monitoring_interval != 0 ? 1 : 0)
-
   statement {
     actions = [
       "sts:AssumeRole",
diff --git a/terraform/environments/delius-core/modules/helpers/delius_microservice/rds_monitoring.tf b/terraform/environments/delius-core/modules/helpers/delius_microservice/rds_monitoring.tf
index 474067c9ccb..fda4f04c74c 100644
--- a/terraform/environments/delius-core/modules/helpers/delius_microservice/rds_monitoring.tf
+++ b/terraform/environments/delius-core/modules/helpers/delius_microservice/rds_monitoring.tf
@@ -26,18 +26,17 @@ resource "aws_cloudwatch_metric_alarm" "rds_cpu_over_threshold" {
   )
 }
 
-resource "aws_cloudwatch_metric_alarm" "ram_over_threshold" {
+resource "aws_cloudwatch_metric_alarm" "rds_memory_over_threshold" {
   count              = var.create_rds ? 1 : 0
-  alarm_name         = "${var.name}-rds-ram-threshold"
-  alarm_description  = "Triggers alarm if RDS RAM crosses a threshold"
+  alarm_name         = "${var.name}-rds-memory-threshold"
+  alarm_description  = "Triggers alarm if RDS Memory crosses a threshold"
   namespace          = "AWS/RDS"
   metric_name        = "FreeableMemory"
   statistic          = "Average"
   period             = "60"
   evaluation_periods = "10"
-  # add sns topic later
-  #  alarm_actions       = [aws_sns_topic.alerting.arn]
-  #  ok_actions          = [aws_sns_topic.alerting.arn]
+  alarm_actions       = [var.sns_topic_arn]
+  ok_actions          = [var.sns_topic_arn]
   threshold           = "800000000"
   treat_missing_data  = "missing"
   comparison_operator = "LessThanThreshold"
@@ -54,7 +53,7 @@ resource "aws_cloudwatch_metric_alarm" "ram_over_threshold" {
   )
 }
 
-resource "aws_cloudwatch_metric_alarm" "read_latency_over_threshold" {
+resource "aws_cloudwatch_metric_alarm" "rds_read_latency_over_threshold" {
   count              = var.create_rds ? 1 : 0
   alarm_name         = "${var.name}-rds-read-latency-threshold"
   alarm_description  = "Triggers alarm if RDS read latency crosses a threshold"
@@ -63,9 +62,8 @@ resource "aws_cloudwatch_metric_alarm" "read_latency_over_threshold" {
   statistic          = "Average"
   period             = "60"
   evaluation_periods = "5"
-  # add sns topic later
-  #  alarm_actions       = [aws_sns_topic.alerting.arn]
-  #  ok_actions          = [aws_sns_topic.alerting.arn]
+  alarm_actions       = [var.sns_topic_arn]
+  ok_actions          = [var.sns_topic_arn]
   threshold           = "5"
   treat_missing_data  = "missing"
   comparison_operator = "GreaterThanThreshold"
@@ -82,7 +80,7 @@ resource "aws_cloudwatch_metric_alarm" "read_latency_over_threshold" {
   )
 }
 
-resource "aws_cloudwatch_metric_alarm" "write_latency_over_threshold" {
+resource "aws_cloudwatch_metric_alarm" "rds_write_latency_over_threshold" {
   count              = var.create_rds ? 1 : 0
   alarm_name         = "${var.name}-rds-write-latency-threshold"
   alarm_description  = "Triggers alarm if RDS write latency crosses a threshold"
@@ -91,9 +89,8 @@ resource "aws_cloudwatch_metric_alarm" "write_latency_over_threshold" {
   statistic          = "Average"
   period             = "60"
   evaluation_periods = "5"
-  # add sns topic later
-  #  alarm_actions       = [aws_sns_topic.alerting.arn]
-  #  ok_actions          = [aws_sns_topic.alerting.arn]
+  alarm_actions       = [var.sns_topic_arn]
+  ok_actions          = [var.sns_topic_arn]
   threshold           = "5"
   treat_missing_data  = "missing"
   comparison_operator = "GreaterThanThreshold"
@@ -110,7 +107,7 @@ resource "aws_cloudwatch_metric_alarm" "write_latency_over_threshold" {
   )
 }
 
-resource "aws_cloudwatch_metric_alarm" "db_connections_over_threshold" {
+resource "aws_cloudwatch_metric_alarm" "rds_connections_over_threshold" {
   count              = var.create_rds ? 1 : 0
   alarm_name         = "${var.name}-rds-db-connections-threshold"
   alarm_description  = "Triggers alarm if RDS database connections crosses a threshold"
@@ -119,9 +116,8 @@ resource "aws_cloudwatch_metric_alarm" "db_connections_over_threshold" {
   statistic          = "Average"
   period             = "60"
   evaluation_periods = "5"
-  # add sns topic later
-  #  alarm_actions       = [aws_sns_topic.alerting.arn]
-  #  ok_actions          = [aws_sns_topic.alerting.arn]
+  alarm_actions       = [var.sns_topic_arn]
+  ok_actions          = [var.sns_topic_arn]
   threshold           = "100"
   treat_missing_data  = "missing"
   comparison_operator = "GreaterThanThreshold"
@@ -138,18 +134,17 @@ resource "aws_cloudwatch_metric_alarm" "db_connections_over_threshold" {
   )
 }
 
-resource "aws_cloudwatch_metric_alarm" "db_queue_depth_over_threshold" {
+resource "aws_cloudwatch_metric_alarm" "rds_allocated_storage_queue_depth_over_threshold" {
   count              = var.create_rds ? 1 : 0
-  alarm_name         = "${var.name}-rds-db-queue-depth-threshold"
+  alarm_name         = "${var.name}-rds-queue-depth-threshold"
   alarm_description  = "Triggers alarm if RDS database queue depth crosses a threshold"
   namespace          = "AWS/RDS"
   metric_name        = "DiskQueueDepth"
   statistic          = "Average"
   period             = "300"
   evaluation_periods = "5"
-  # add sns topic later
-  #  alarm_actions       = [aws_sns_topic.alerting.arn]
-  #  ok_actions          = [aws_sns_topic.alerting.arn]
+  alarm_actions       = [var.sns_topic_arn]
+  ok_actions          = [var.sns_topic_arn]
   threshold           = "60"
   treat_missing_data  = "missing"
   comparison_operator = "GreaterThanThreshold"
@@ -165,3 +160,31 @@ resource "aws_cloudwatch_metric_alarm" "db_queue_depth_over_threshold" {
     }
   )
 }
+
+resource "aws_cloudwatch_metric_alarm" "rds_freeable_memory_less_than_threshold" {
+  count               = var.create_rds ? 1 : 0
+  alarm_name          = "${var.name}-rds-freeable-memory-threshold"
+  alarm_description   = "Triggers alarm if RDS freeable memory crosses a threshold"
+  namespace           = "AWS/RDS"
+  metric_name         = "FreeableMemory"
+  statistic           = "Average"
+  period              = "60"
+  evaluation_periods  = "15"
+  datapoints_to_alarm = 15
+  alarm_actions       = [var.sns_topic_arn]
+  ok_actions          = [var.sns_topic_arn]
+  threshold           = "800000000"
+  treat_missing_data  = "missing"
+  comparison_operator = "LessThanThreshold"
+
+  dimensions = {
+    DBInstanceIdentifier = aws_db_instance.this[0].identifier
+  }
+
+  tags = merge(
+    var.tags,
+    {
+      Name = var.name
+    }
+  )
+}
diff --git a/terraform/environments/delius-iaps/ad.tf b/terraform/environments/delius-iaps/ad.tf
index db77043e666..4dc2819fc1f 100644
--- a/terraform/environments/delius-iaps/ad.tf
+++ b/terraform/environments/delius-iaps/ad.tf
@@ -18,7 +18,7 @@ resource "aws_directory_service_directory" "active_directory" {
   type    = "MicrosoftAD"
   edition = "Standard"
 
-  password   = aws_secretsmanager_secret_version.ad_password.secret_string
+  password   = data.aws_secretsmanager_secret_version.ad_password.secret_string
   enable_sso = false
 
   vpc_settings {
diff --git a/terraform/environments/delius-iaps/application_variables.json b/terraform/environments/delius-iaps/application_variables.json
index 17df613326a..0012b1b5c17 100644
--- a/terraform/environments/delius-iaps/application_variables.json
+++ b/terraform/environments/delius-iaps/application_variables.json
@@ -2,7 +2,7 @@
   "accounts": {
     "development": {
       "short_environment_name": "dev",
-      "db_engine_version": "19.0.0.0.ru-2023-04.rur-2023-04.r1",
+      "db_engine_version": "19.0.0.0.ru-2024-04.rur-2024-04.r1",
       "db_auto_minor_version_upgrade": "false",
       "db_allow_major_version_upgrade": "false",
       "db_apply_immediately": "true",
@@ -27,7 +27,7 @@
     },
     "preproduction": {
       "short_environment_name": "preprod",
-      "db_engine_version": "19.0.0.0.ru-2023-04.rur-2023-04.r1",
+      "db_engine_version": "19.0.0.0.ru-2024-04.rur-2024-04.r1",
       "db_snapshot_identifier": "iaps-2023-09-19-03-06-refresh",
       "db_auto_minor_version_upgrade": "false",
       "db_allow_major_version_upgrade": "false",
diff --git a/terraform/environments/delius-iaps/rds.tf b/terraform/environments/delius-iaps/rds.tf
index a400c6a4dc3..43ca273a571 100644
--- a/terraform/environments/delius-iaps/rds.tf
+++ b/terraform/environments/delius-iaps/rds.tf
@@ -15,7 +15,7 @@ resource "aws_db_instance" "iaps" {
 
   # tflint-ignore: aws_db_instance_default_parameter_group
   parameter_group_name        = "default.oracle-ee-19"
-  ca_cert_identifier          = "rds-ca-rsa4096-g1"
+  ca_cert_identifier          = "rds-ca-rsa2048-g1"
   skip_final_snapshot         = local.application_data.accounts[local.environment].db_skip_final_snapshot
   allocated_storage           = local.application_data.accounts[local.environment].db_allocated_storage
   max_allocated_storage       = local.application_data.accounts[local.environment].db_max_allocated_storage
diff --git a/terraform/environments/delius-iaps/secrets.tf b/terraform/environments/delius-iaps/secrets.tf
index ff80214f919..c51d7d942a4 100644
--- a/terraform/environments/delius-iaps/secrets.tf
+++ b/terraform/environments/delius-iaps/secrets.tf
@@ -22,10 +22,6 @@ resource "aws_secretsmanager_secret" "ad_password" {
   )
 }
 
-resource "aws_secretsmanager_secret_version" "ad_password" {
-  secret_id     = aws_secretsmanager_secret.ad_password.id
-  secret_string = random_password.ad_password.result
-  lifecycle {
-    ignore_changes = all # ignore everything as we only want to create this once at env initialisation
-  }
+data "aws_secretsmanager_secret_version" "ad_password" {
+  secret_id = aws_secretsmanager_secret.ad_password.id
 }
diff --git a/terraform/environments/delius-mis/files/.ssh/delius-mis-test/ec2-user.pub b/terraform/environments/delius-mis/files/.ssh/delius-mis-test/ec2-user.pub
new file mode 100644
index 00000000000..6bbd3d8262d
--- /dev/null
+++ b/terraform/environments/delius-mis/files/.ssh/delius-mis-test/ec2-user.pub
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQClAqwJZHxCxeu1qan+2SbLgcDazHT2V9stj84ogU3pMmQlPHLmJzuvW2ux5nALY5g+dC1d/2zGIw63WpPTYbM7WOIr45k9BJXLc5/WhPSZUEN7XiuCv38qXZ6dc8yrbPjqLvaP6Utd2O0alBo1RQGi3NVRMiMsRvqK0SvnSAdw84Wvp4snX2BhcKDyD+0oYYJXdShdX1b9Ex6T06foXJyMTCHQFJxPBAr6IbLm+iJ0MdNu5ITydwr5vS9o/momgzgx5ykpERqRyp/0DgX9GC8YaERdXNB2enfRIUpNV9Klqv5N0an4c9r0d7QbdbJ+j2kldsiRZFn9nd+brVZgOkT+L+nyKVpKjcNTZhBMvbTrPQdwnxkhGA5kdpe1U34xY+2zp0G3iUxh1OmL0bOnLJNtMZvoT0wYgfI9IOOs9WvER85hGTaVOKyV1cTQuwwc31ed/GemZlepJuqMydLuqlQtVBQ0ZBrphVx/AApQb76dA++kf2uxxNo8b6opUgn6rD8=
diff --git a/terraform/environments/delius-mis/modules/mis_environment/directory_service.tf b/terraform/environments/delius-mis/modules/mis_environment/directory_service.tf
new file mode 100644
index 00000000000..47394299d2e
--- /dev/null
+++ b/terraform/environments/delius-mis/modules/mis_environment/directory_service.tf
@@ -0,0 +1,152 @@
+locals {
+  domain_full_name = "${var.app_name}-${var.env_name}.internal"
+}
+
+resource "aws_directory_service_directory" "mis_ad" {
+  name = local.domain_full_name
+
+  description = "Microsoft AD for ${var.app_name}-${var.env_name}"
+
+  type    = "MicrosoftAD"
+  edition = "Standard"
+
+  password = data.aws_secretsmanager_secret_version.ad_admin_password.secret_string
+
+  vpc_settings {
+    vpc_id     = var.account_info.vpc_id
+    subnet_ids = slice(var.account_config.private_subnet_ids, 0, 2)
+  }
+
+  tags = var.tags
+
+  lifecycle {
+    ignore_changes = [
+      password
+    ]
+  }
+}
+
+resource "aws_secretsmanager_secret" "ad_admin_password" {
+  name                    = "${var.app_name}-${var.env_name}-ad-admin-password"
+  recovery_window_in_days = 0
+
+  tags = merge(
+    var.tags,
+    {
+      Name = "${var.app_name}-${var.env_name}-ad-admin-password"
+    }
+  )
+}
+
+data "aws_secretsmanager_secret_version" "ad_admin_password" {
+  secret_id = aws_secretsmanager_secret.ad_admin_password.id
+}
+
+###
+# Logging
+###
+
+resource "aws_cloudwatch_log_group" "active_directory" {
+  name              = "/aws/directoryservice/${aws_directory_service_directory.mis_ad.id}"
+  retention_in_days = 14
+}
+
+data "aws_iam_policy_document" "ad_log_policy" {
+  statement {
+    actions = [
+      "logs:CreateLogStream",
+      "logs:PutLogEvents",
+    ]
+
+    principals {
+      identifiers = ["ds.amazonaws.com"]
+      type        = "Service"
+    }
+
+    resources = ["${aws_cloudwatch_log_group.active_directory.arn}:*"]
+
+    effect = "Allow"
+  }
+}
+
+resource "aws_cloudwatch_log_resource_policy" "active_directory_log_policy" {
+  policy_document = data.aws_iam_policy_document.ad_log_policy.json
+  policy_name     = "ad-log-policy-${var.app_name}-${var.env_name}"
+}
+
+resource "aws_directory_service_log_subscription" "active_directory" {
+  directory_id   = aws_directory_service_directory.mis_ad.id
+  log_group_name = aws_cloudwatch_log_group.active_directory.name
+  depends_on = [
+    aws_cloudwatch_log_resource_policy.active_directory_log_policy
+  ]
+}
+
+###
+# Route 53 Resolver setup
+###
+
+resource "aws_security_group" "mis_ad_dns_resolver_security_group" {
+  provider = aws.core-vpc
+
+  name        = "DNS resolver for ${local.domain_full_name}"
+  description = "Security Group for DNS resolver requests relating to ${local.domain_full_name}"
+  vpc_id      = var.account_config.shared_vpc_id
+}
+
+resource "aws_security_group_rule" "mis_ad_dns_resolver_security_group_rule_egress" {
+  provider = aws.core-vpc
+
+  for_each = {
+    tcp = "tcp"
+    udp = "udp"
+  }
+  description       = "VPC to DNS Endpoint traffic for (${each.key})"
+  from_port         = 53
+  protocol          = each.value
+  security_group_id = aws_security_group.mis_ad_dns_resolver_security_group.id
+  to_port           = 53
+  type              = "egress"
+  cidr_blocks       = [var.account_config.shared_vpc_cidr]
+}
+
+resource "aws_route53_resolver_endpoint" "resolve_local_entries_using_ad_dns" {
+  provider = aws.core-vpc
+
+  name      = replace(local.domain_full_name, ".", "-")
+  direction = "OUTBOUND"
+
+  security_group_ids = [
+    aws_security_group.mis_ad_dns_resolver_security_group.id
+  ]
+  dynamic "ip_address" {
+    for_each = var.account_config.private_subnet_ids
+    content {
+      subnet_id = ip_address.value
+    }
+  }
+}
+
+resource "aws_route53_resolver_rule" "r53_fwd_to_ad" {
+  provider = aws.core-vpc
+
+  domain_name = local.domain_full_name
+  name        = replace(local.domain_full_name, ".", "-")
+  rule_type   = "FORWARD"
+
+  resolver_endpoint_id = aws_route53_resolver_endpoint.resolve_local_entries_using_ad_dns.id
+
+  dynamic "target_ip" {
+    for_each = sort(aws_directory_service_directory.mis_ad.dns_ip_addresses)
+    content {
+      ip = target_ip.value
+    }
+  }
+}
+
+resource "aws_route53_resolver_rule_association" "vpc_r53_fwd_to_ad" {
+  provider = aws.core-vpc
+
+  resolver_rule_id = aws_route53_resolver_rule.r53_fwd_to_ad.id
+  vpc_id           = var.account_config.shared_vpc_id
+}
diff --git a/terraform/environments/delius-nextcloud/modules/components/nextcloud/locals.tf b/terraform/environments/delius-nextcloud/modules/components/nextcloud/locals.tf
index 3af71974e51..c2b8815ce46 100644
--- a/terraform/environments/delius-nextcloud/modules/components/nextcloud/locals.tf
+++ b/terraform/environments/delius-nextcloud/modules/components/nextcloud/locals.tf
@@ -13,7 +13,10 @@ locals {
   domain_type_main   = [for k, v in local.domain_types : v.type if k == "modernisation-platform.service.justice.gov.uk"]
   domain_type_sub    = [for k, v in local.domain_types : v.type if k != "modernisation-platform.service.justice.gov.uk"]
 
-  globalprotect_ips = module.ip_addresses.moj_cidr.moj_aws_digital_macos_globalprotect_alpha
+  globalprotect_ips = concat(
+    module.ip_addresses.moj_cidr.moj_aws_digital_macos_globalprotect_alpha,
+    module.ip_addresses.moj_cidr.moj_aws_digital_macos_globalprotect_prisma,
+  )
   unilink_ips = [
     "194.75.210.216/29", # Unilink AOVPN
     "83.98.63.176/29",   # Unilink AOVPN
diff --git a/terraform/environments/digital-prison-reporting/athena_federated_queries.tf b/terraform/environments/digital-prison-reporting/athena_federated_queries.tf
index 4b636b85eda..536e3d7163a 100644
--- a/terraform/environments/digital-prison-reporting/athena_federated_queries.tf
+++ b/terraform/environments/digital-prison-reporting/athena_federated_queries.tf
@@ -10,6 +10,19 @@ locals {
 module "athena_federated_query_connector_oracle" {
   source = "./modules/athena_federated_query_connectors/oracle"
 
+  #checkov:skip=CKV_AWS_25
+  #checkov:skip=CKV_AWS_23
+  #checkov:skip=CKV_AWS_277
+  #checkov:skip=CKV_AWS_260
+  #checkov:skip=CKV_AWS_24
+  #checkov:skip=CKV_AWS_117
+  #checkov:skip=CKV_AWS_363
+  #checkov:skip=CKV_AWS_63:Ensure no IAM policies documents allow "*" as a statement's actions
+  #checkov:skip=CKV_AWS_62:Ensure IAM policies that allow full "*-*" administrative privileges are not created
+  #checkov:skip=CKV_AWS_61:Ensure AWS IAM policy does not allow assume role permission across all service
+  #checkov:skip=CKV_AWS_60:Ensure IAM role allows only specific services or principals to assume it
+  #checkov:skip=CKV_AWS_274:Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy  
+
   connector_jar_bucket_key              = "third-party/athena-connectors/athena-oracle-2022.47.1.jar"
   connector_jar_bucket_name             = module.s3_artifacts_store.bucket_id
   spill_bucket_name                     = module.s3_working_bucket.bucket_id
diff --git a/terraform/environments/digital-prison-reporting/cloudtrail.tf b/terraform/environments/digital-prison-reporting/cloudtrail.tf
index c5a2fa11c9d..03b2d3d50da 100644
--- a/terraform/environments/digital-prison-reporting/cloudtrail.tf
+++ b/terraform/environments/digital-prison-reporting/cloudtrail.tf
@@ -1,4 +1,10 @@
 resource "aws_cloudtrail" "trail" {
+  #checkov:skip=CKV_AWS_251:Ensure CloudTrail logging is enabled
+  #checkov:skip=CKV2_AWS_10: "Ignore - Ensure CloudTrail trails are integrated with CloudWatch Logs"
+  #checkov:skip=CKV_AWS_36: "Ensure CloudTrail log file validation is enabled"
+  #checkov:skip=CKV_AWS_67: "Ensure CloudTrail is enabled in all Regions"
+  #checkov:skip=CKV_AWS_35: "Ensure CloudTrail logs are encrypted at rest using KMS CMKs"
+  #checkov:skip=CKV_AWS_252: "Ensure CloudTrail defines an SNS Topic"
   count                         = local.enable_dpr_cloudtrail ? 1 : 0
   name                          = "${local.project}-cloud-trail-${local.environment}"
   s3_bucket_name                = module.s3_audit_logging_bucket.bucket_id
diff --git a/terraform/environments/digital-prison-reporting/cross-account.tf b/terraform/environments/digital-prison-reporting/cross-account.tf
index 6417d0fb375..bbee666e647 100644
--- a/terraform/environments/digital-prison-reporting/cross-account.tf
+++ b/terraform/environments/digital-prison-reporting/cross-account.tf
@@ -8,9 +8,20 @@ resource "aws_iam_openid_connect_provider" "cluster" {
 }
 
 ## Role
-## CrossAccount DataAPI Cross Account Role, 
+## CrossAccount DataAPI Cross Account Role,
 # CrossAccount DataAPI Assume Policy
 data "aws_iam_policy_document" "dataapi_cross_assume" {
+  #checkov:skip=CKV_AWS_110:Ensure IAM policies does not allow privilege escalation
+  #checkov:skip=CKV_AWS_358:OIDC trust policies only allows actions from a specific known organization Already
+  #checkov:skip=CKV_AWS_107:Ensure IAM policies does not allow credentials exposure
+  #checkov:skip=CKV_AWS_111:Ensure IAM policies does not allow write access without constraints
+  #checkov:skip=CKV_AWS_356
+  #checkov:skip=CKV_AWS_109
+  #checkov:skip=CKV_AWS_1
+  #checkov:skip=CKV_AWS_283
+  #checkov:skip=CKV_AWS_49
+  #checkov:skip=CKV_AWS_108
+
   statement {
     actions = ["sts:AssumeRole"]
 
@@ -43,6 +54,10 @@ data "aws_iam_policy_document" "dataapi_cross_assume" {
 
 # CrossAccount DataAPI Role
 resource "aws_iam_role" "dataapi_cross_role" {
+  #checkov:skip=CKV_AWS_61:Ensure IAM policies does not allow data exfiltration
+  #checkov:skip=CKV_AWS_60:Ensure IAM role allows only specific services or principals to assume it
+  #checkov:skip=CKV_AWS_274:Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy
+
   name                  = "${local.project}-data-api-cross-account-role"
   description           = "Data API Cross Account Role"
   assume_role_policy    = data.aws_iam_policy_document.dataapi_cross_assume.json
@@ -61,31 +76,46 @@ resource "aws_iam_role" "dataapi_cross_role" {
 
 # CrossAccount DataAPI Role/Policy Attachement
 resource "aws_iam_role_policy_attachment" "redshift_dataapi" {
+  #checkov:skip=CKV_AWS_274:Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy
+
   role       = aws_iam_role.dataapi_cross_role.name
   policy_arn = aws_iam_policy.redshift_dataapi_cross_policy.arn
 }
 
 # Athena API Role/Policy Attachement
 resource "aws_iam_role_policy_attachment" "athena_api" {
+  #checkov:skip=CKV_AWS_274:Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy
+
   role       = aws_iam_role.dataapi_cross_role.name
   policy_arn = aws_iam_policy.athena_api_cross_policy.arn
 }
 
 # S3 Read Write Policy Attachement
 resource "aws_iam_role_policy_attachment" "s3_read_write" {
+  #checkov:skip=CKV_AWS_274:Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy
+
   role       = aws_iam_role.dataapi_cross_role.name
   policy_arn = aws_iam_policy.s3_read_write_policy.arn
 }
 
 # KMS Policy Attachement
 resource "aws_iam_role_policy_attachment" "kms_read_access_policy" {
+  #checkov:skip=CKV_AWS_274:Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy
+
   role       = aws_iam_role.dataapi_cross_role.name
   policy_arn = aws_iam_policy.kms_read_access_policy.arn
 }
 
 # Glue Catalog Readonly Attachement
 resource "aws_iam_role_policy_attachment" "glue_catalog_readonly" {
+  #checkov:skip=CKV_AWS_274:Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy
+
   role       = aws_iam_role.dataapi_cross_role.name
   policy_arn = aws_iam_policy.glue_catalog_readonly.arn
 }
 
+# Lake Formation Data Access Attachement
+resource "aws_iam_role_policy_attachment" "lake_formation_data_access" {
+  role       = aws_iam_role.dataapi_cross_role.name
+  policy_arn = aws_iam_policy.lake_formation_data_access.arn
+}
\ No newline at end of file
diff --git a/terraform/environments/digital-prison-reporting/data.tf b/terraform/environments/digital-prison-reporting/data.tf
index 9d6d43ddf60..92ad7ca6498 100644
--- a/terraform/environments/digital-prison-reporting/data.tf
+++ b/terraform/environments/digital-prison-reporting/data.tf
@@ -44,6 +44,8 @@ data "aws_secretsmanager_secret_version" "datamart" {
 
 # AWS _IAM_ Policy
 data "aws_iam_policy" "rds_full_access" {
+  #checkov:skip=CKV_AWS_275:Disallow policies from using the AWS AdministratorAccess policy
+  
   arn = "arn:aws:iam::aws:policy/AmazonRDSFullAccess"
 }
 
@@ -124,3 +126,9 @@ data "aws_secretsmanager_secret_version" "transfer_component_role_secret_version
 data "aws_iam_session_context" "current" {
   arn = data.aws_caller_identity.current.arn
 }
+
+# Retrieves role for data-engineers
+
+data "aws_iam_roles" "data_engineering_roles" {
+  name_regex = "AWSReservedSSO_modernisation-platform-data-eng.*"
+}
\ No newline at end of file
diff --git a/terraform/environments/digital-prison-reporting/kms.tf b/terraform/environments/digital-prison-reporting/kms.tf
index 6f0af582689..1316c49dcc5 100644
--- a/terraform/environments/digital-prison-reporting/kms.tf
+++ b/terraform/environments/digital-prison-reporting/kms.tf
@@ -1,5 +1,9 @@
 ### S3 KMS
 resource "aws_kms_key" "s3" {
+  #checkov:skip=CKV_AWS_33
+  #checkov:skip=CKV_AWS_227
+  #checkov:skip=CKV_AWS_7
+
   description         = "Encryption key for s3"
   enable_key_rotation = true
   key_usage           = "ENCRYPT_DECRYPT"
@@ -18,7 +22,16 @@ resource "aws_kms_key" "s3" {
 data "aws_iam_policy_document" "s3-kms" {
   statement {
     #checkov:skip=CKV_AWS_111
-    #checkov:skip=CKV_AWS_109       
+    #checkov:skip=CKV_AWS_109
+    #checkov:skip=CKV_AWS_358
+    #checkov:skip=CKV_AWS_107
+    #checkov:skip=CKV_AWS_1
+    #checkov:skip=CKV_AWS_356
+    #checkov:skip=CKV_AWS_283
+    #checkov:skip=CKV_AWS_49
+    #checkov:skip=CKV_AWS_108
+    #checkov:skip=CKV_AWS_110   
+          
     effect    = "Allow"
     actions   = ["kms:*"]
     resources = ["*"]
@@ -37,6 +50,10 @@ resource "aws_kms_alias" "kms-alias" {
 
 ### KINESIS KMS
 resource "aws_kms_key" "kinesis-kms-key" {
+  #checkov:skip=CKV_AWS_33
+  #checkov:skip=CKV_AWS_227
+  #checkov:skip=CKV_AWS_7
+
   description         = "Encryption key for kinesis data stream"
   enable_key_rotation = true
   key_usage           = "ENCRYPT_DECRYPT"
@@ -55,7 +72,8 @@ resource "aws_kms_key" "kinesis-kms-key" {
 data "aws_iam_policy_document" "kinesis-kms" {
   statement {
     #checkov:skip=CKV_AWS_111
-    #checkov:skip=CKV_AWS_109       
+    #checkov:skip=CKV_AWS_109 
+    #checkov:skip=CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"      
     effect    = "Allow"
     actions   = ["kms:*"]
     resources = ["*"]
@@ -74,6 +92,10 @@ resource "aws_kms_alias" "kinesis-kms-alias" {
 
 ### Redshift KMS
 resource "aws_kms_key" "redshift-kms-key" {
+  #checkov:skip=CKV_AWS_33
+  #checkov:skip=CKV_AWS_227
+  #checkov:skip=CKV_AWS_7
+
   description         = "Encryption key for Redshift Cluster"
   enable_key_rotation = true
   policy              = data.aws_iam_policy_document.redhsift-kms.json
@@ -90,7 +112,15 @@ resource "aws_kms_key" "redshift-kms-key" {
 data "aws_iam_policy_document" "redhsift-kms" {
   statement {
     #checkov:skip=CKV_AWS_111
-    #checkov:skip=CKV_AWS_109       
+    #checkov:skip=CKV_AWS_109
+    #checkov:skip=CKV_AWS_110
+    #checkov:skip=CKV_AWS_358
+    #checkov:skip=CKV_AWS_107
+    #checkov:skip=CKV_AWS_1 
+    #checkov:skip=CKV_AWS_283
+    #checkov:skip=CKV_AWS_49
+    #checkov:skip=CKV_AWS_108
+    #checkov:skip=CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"   
     effect    = "Allow"
     actions   = ["kms:*"]
     resources = ["*"]
@@ -109,6 +139,10 @@ resource "aws_kms_alias" "redshift-kms-alias" {
 
 ### RDS, Postgres KMS
 resource "aws_kms_key" "rds" {
+  #checkov:skip=CKV_AWS_33
+  #checkov:skip=CKV_AWS_227
+  #checkov:skip=CKV_AWS_7
+
   description         = "Encryption key for RDS Instance"
   enable_key_rotation = true
   policy              = data.aws_iam_policy_document.rds-kms.json
@@ -125,7 +159,15 @@ resource "aws_kms_key" "rds" {
 data "aws_iam_policy_document" "rds-kms" {
   statement {
     #checkov:skip=CKV_AWS_111
-    #checkov:skip=CKV_AWS_109       
+    #checkov:skip=CKV_AWS_109
+    #checkov:skip=CKV_AWS_110
+    #checkov:skip=CKV_AWS_358
+    #checkov:skip=CKV_AWS_107
+    #checkov:skip=CKV_AWS_1 
+    #checkov:skip=CKV_AWS_283
+    #checkov:skip=CKV_AWS_49
+    #checkov:skip=CKV_AWS_108
+    #checkov:skip=CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"         
     effect    = "Allow"
     actions   = ["kms:*"]
     resources = ["*"]
@@ -144,6 +186,11 @@ resource "aws_kms_alias" "rds-kms-alias" {
 
 # RDS Database Key
 resource "aws_kms_key" "operational_db" {
+  #checkov:skip=CKV2_AWS_64: "Ensure KMS key Policy is defined"
+  #checkov:skip=CKV_AWS_33
+  #checkov:skip=CKV_AWS_227
+  #checkov:skip=CKV_AWS_7
+    
   description         = "Encryption key for Operational DB"
   enable_key_rotation = true
   key_usage           = "ENCRYPT_DECRYPT"
diff --git a/terraform/environments/digital-prison-reporting/lake_formation.tf b/terraform/environments/digital-prison-reporting/lake_formation.tf
index 766ee13e521..e202a733848 100644
--- a/terraform/environments/digital-prison-reporting/lake_formation.tf
+++ b/terraform/environments/digital-prison-reporting/lake_formation.tf
@@ -1,5 +1,5 @@
 resource "aws_lakeformation_data_lake_settings" "lake_formation" {
-  admins = flatten([[for share in local.analytical_platform_share : aws_iam_role.analytical_platform_share_role[share.target_account_name].arn], data.aws_iam_session_context.current.issuer_arn])
+  admins = flatten([[for share in local.analytical_platform_share : aws_iam_role.analytical_platform_share_role[share.target_account_name].arn], data.aws_iam_session_context.current.issuer_arn, try(one(data.aws_iam_roles.data_engineering_roles.arns), [])])
 
   # ref: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lakeformation_data_lake_settings#principal
   create_database_default_permissions {
diff --git a/terraform/environments/digital-prison-reporting/locals.tf b/terraform/environments/digital-prison-reporting/locals.tf
index 514d5eb3778..9ec5c4fec1e 100644
--- a/terraform/environments/digital-prison-reporting/locals.tf
+++ b/terraform/environments/digital-prison-reporting/locals.tf
@@ -241,6 +241,26 @@ locals {
   create_transfercomp_lambda_layer   = local.application_data.accounts[local.environment].create_transfer_component_lambda_layer
   lambda_transfercomp_layer_name     = "${local.project}-redhift-jdbc-dependency-layer"
 
+  # Redshift Expired External Table Remover Lambda
+  lambda_redshift_table_expiry_enabled        = true
+  lambda_redshift_table_expiry_name           = "${local.project}-redshift-expired-external-table-remover"
+  lambda_redshift_table_expiry_runtime        = "java11"
+  lambda_redshift_table_expiry_tracing        = "Active"
+  lambda_redshift_table_expiry_handler        = "uk.gov.justice.digital.lambda.RedShiftTableExpiryLambda::handleRequest"
+  lambda_redshift_table_expiry_code_s3_bucket = module.s3_artifacts_store.bucket_id
+  lambda_redshift_table_expiry_code_s3_key    = "build-artifacts/digital-prison-reporting-lambdas/jars/digital-prison-reporting-lambdas-v0.0.12-all.jar"
+  lambda_redshift_table_expiry_policies = [
+    "arn:aws:iam::${local.account_id}:policy/${local.kms_read_access_policy}",
+    aws_iam_policy.redshift_dataapi_cross_policy.arn,
+  ]
+  lambda_redshift_table_expiry_secret_arn          = module.datamart.credential_secret_arn
+  lambda_redshift_table_expiry_cluster_id          = module.datamart.cluster_id
+  lambda_redshift_table_expiry_database_name       = module.datamart.cluster_database_name
+  lambda_redshift_table_expiry_schedule_expression = "rate(1 hour)"
+  lambda_redshift_table_expiry_seconds             = "86400"
+  lambda_redshift_table_expiry_timeout_seconds     = 900
+  lambda_redshift_table_expiry_memory_size         = 1024
+
   reporting_lambda_code_s3_key = "build-artifacts/digital-prison-reporting-lambdas/jars/digital-prison-reporting-lambdas-vLatest-all.jar"
 
   # s3 transfer
diff --git a/terraform/environments/digital-prison-reporting/main.tf b/terraform/environments/digital-prison-reporting/main.tf
index 7f717d4ad3d..67c9c367383 100644
--- a/terraform/environments/digital-prison-reporting/main.tf
+++ b/terraform/environments/digital-prison-reporting/main.tf
@@ -96,6 +96,8 @@ module "glue_reporting_hub_job" {
 
 # Glue Job, Reporting Hub Batch
 module "glue_reporting_hub_batch_job" {
+  #checkov:skip=CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS, Skipping for Timebeing in view of Cost Savings”
+  
   source                        = "./modules/glue_job"
   create_job                    = local.create_job
   name                          = "${local.project}-reporting-hub-batch-${local.env}"
@@ -927,12 +929,16 @@ module "s3_artifacts_store" {
 
 # S3 Violation Zone Bucket, DPR-408
 module "s3_working_bucket" {
-  source                    = "./modules/s3_bucket"
-  create_s3                 = local.setup_buckets
-  name                      = "${local.project}-working-${local.environment}"
-  custom_kms_key            = local.s3_kms_arn
-  create_notification_queue = false # For SQS Queue
-  enable_lifecycle          = true
+  source                      = "./modules/s3_bucket"
+  create_s3                   = local.setup_buckets
+  name                        = "${local.project}-working-${local.environment}"
+  custom_kms_key              = local.s3_kms_arn
+  create_notification_queue   = false # For SQS Queue
+  enable_lifecycle            = true
+  enable_lifecycle_expiration = true
+  expiration_days             = 2
+  expiration_prefix_redshift  = "reports/"
+  expiration_prefix_athena    = "dpr/"
 
   tags = merge(
     local.all_tags,
@@ -942,6 +948,7 @@ module "s3_working_bucket" {
     }
   )
 }
+
 ##########################
 # Data Domain Components # 
 ##########################
diff --git a/terraform/environments/digital-prison-reporting/modules/apigateway/serverless-lambda-gw/main.tf b/terraform/environments/digital-prison-reporting/modules/apigateway/serverless-lambda-gw/main.tf
index 79dac91e7a8..1c075067b45 100644
--- a/terraform/environments/digital-prison-reporting/modules/apigateway/serverless-lambda-gw/main.tf
+++ b/terraform/environments/digital-prison-reporting/modules/apigateway/serverless-lambda-gw/main.tf
@@ -1,4 +1,7 @@
+# tflint-ignore-file: terraform_required_version, terraform_required_providers
+
 resource "aws_api_gateway_rest_api" "this" {
+  #checkov:skip=CKV_AWS_237: "Ensure Create before destroy for API Gateway"
   name = "${var.name}-rest-gw"
   endpoint_configuration {
     types            = ["PRIVATE"]
@@ -19,6 +22,11 @@ resource "aws_api_gateway_resource" "preview" {
 }
 
 resource "aws_api_gateway_method" "preview" {
+  #checkov:skip=CKV_AWS_70:Ensure API gateway method has authorization or API key set
+  #checkov:skip=CKV2_AWS_53: “Ignoring AWS API gateway request validatation"
+  #checkov:skip=CCKV_AWS_59: "Ensure there is no open access to back-end resources through API"
+
+
   authorization = "NONE"
   http_method   = "ANY"
   resource_id   = aws_api_gateway_resource.preview.id
@@ -41,6 +49,10 @@ resource "aws_api_gateway_resource" "publish" {
 }
 
 resource "aws_api_gateway_method" "publish" {
+  #checkov:skip=CKV_AWS_70:Ensure API gateway method has authorization or API key set
+  #checkov:skip=CKV2_AWS_53: “Ignoring AWS API gateway request validatation"
+  #checkov:skip=CCKV_AWS_59: "Ensure there is no open access to back-end resources through API"
+
   authorization = "NONE"
   http_method   = "ANY"
   resource_id   = aws_api_gateway_resource.publish.id
@@ -57,6 +69,11 @@ resource "aws_api_gateway_integration" "publish" {
 }
 
 resource "aws_api_gateway_method" "this" {
+  #checkov:skip=CKV_AWS_70:Ensure API gateway method has authorization or API key set
+  #checkov:skip=CKV2_AWS_53: “Ignoring AWS API gateway request validatation"
+  #checkov:skip=CCKV_AWS_59: "Ensure there is no open access to back-end resources through API"
+  
+
   authorization = "NONE"
   http_method   = "ANY"
   resource_id   = aws_api_gateway_resource.this.id
@@ -73,6 +90,9 @@ resource "aws_api_gateway_integration" "this" {
 }
 
 resource "aws_lambda_permission" "apigw_lambda" {
+  #checkov:skip=CKV_AWS_364:Ensure that AWS Lambda function permissions delegated to AWS services are limited by SourceArn or SourceAccount
+  #checkov:skip=CKV_AWS_301:Ensure that AWS Lambda function is not publicly accessible
+  
   statement_id  = "AllowExecutionFromAPIGateway"
   action        = "lambda:InvokeFunction"
   function_name = var.lambda_name
@@ -81,6 +101,8 @@ resource "aws_lambda_permission" "apigw_lambda" {
 }
 
 resource "aws_api_gateway_deployment" "default_deployment" {
+  #checkov:skip=CKV_AWS_217:Ensure Create before destroy for API deployments
+
   rest_api_id = aws_api_gateway_rest_api.this.id
   triggers = {
     redeployment = sha1(jsonencode([
@@ -111,6 +133,11 @@ resource "aws_api_gateway_deployment" "default_deployment" {
 }
 
 resource "aws_api_gateway_stage" "default_deployment" {
+  #checkov:skip=CKV2_AWS_4: "Ignore - Ensure API Gateway stage have logging level defined as appropriate"
+  #checkov:skip=CKV2_AWS_51: "Ignore - Ensure AWS API Gateway endpoints uses client certificate authentication"
+  #checkov:skip=CCKV_AWS_120: "Ensure API Gateway caching is enabled"
+  #checkov:skip=CKV_AWS_73: "Ensure API Gateway has X-Ray Tracing enabled"
+  #checkov:skip=CKV_AWS_76: "Ensure API Gateway has Access Logging enabled"
   deployment_id = aws_api_gateway_deployment.default_deployment.id
   rest_api_id   = aws_api_gateway_rest_api.this.id
   stage_name    = "default"
diff --git a/terraform/environments/digital-prison-reporting/modules/apigateway/serverless-lambda-gw/variables.tf b/terraform/environments/digital-prison-reporting/modules/apigateway/serverless-lambda-gw/variables.tf
index bd33d0f45e4..5fda36369db 100644
--- a/terraform/environments/digital-prison-reporting/modules/apigateway/serverless-lambda-gw/variables.tf
+++ b/terraform/environments/digital-prison-reporting/modules/apigateway/serverless-lambda-gw/variables.tf
@@ -1,11 +1,13 @@
 variable "region" {
   description = "Current AWS Region."
   default     = "eu-west-2"
+  type        = string
 }
 
 variable "account" {
   description = "AWS Account ID."
   default     = ""
+  type        = string
 }
 
 variable "enable_gateway" {
diff --git a/terraform/environments/digital-prison-reporting/modules/apigateway/serverless-lambda-gw/versions.tf b/terraform/environments/digital-prison-reporting/modules/apigateway/serverless-lambda-gw/versions.tf
new file mode 100644
index 00000000000..ea265eb2f9b
--- /dev/null
+++ b/terraform/environments/digital-prison-reporting/modules/apigateway/serverless-lambda-gw/versions.tf
@@ -0,0 +1,10 @@
+terraform {
+  required_providers {
+    aws = {
+      version = "~> 5.0"
+      source  = "hashicorp/aws"
+    }
+
+  }
+  required_version = "~> 1.0"
+}
diff --git a/terraform/environments/digital-prison-reporting/modules/athena_federated_query_connectors/oracle/iam.tf b/terraform/environments/digital-prison-reporting/modules/athena_federated_query_connectors/oracle/iam.tf
index f59060694df..cdc099e1ac5 100644
--- a/terraform/environments/digital-prison-reporting/modules/athena_federated_query_connectors/oracle/iam.tf
+++ b/terraform/environments/digital-prison-reporting/modules/athena_federated_query_connectors/oracle/iam.tf
@@ -1,3 +1,5 @@
+# tflint-ignore-file: terraform_required_version, terraform_required_providers 
+
 # The Connector Lambda will use this policy to access everything it needs
 resource "aws_iam_policy" "athena_federated_query_connector_policy" {
   name        = "${var.project_prefix}_athena_federated_query_connector_policy"
@@ -127,6 +129,8 @@ resource "aws_iam_role" "athena_federated_query_lambda_execution_role" {
 }
 
 resource "aws_iam_role_policy_attachment" "athena_federated_query_lambda_role_policy_attachment" {
+  #checkov:skip=CKV_AWS_274:Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy
+
   policy_arn = aws_iam_policy.athena_federated_query_connector_policy.arn
   role       = aws_iam_role.athena_federated_query_lambda_execution_role.name
 }
diff --git a/terraform/environments/digital-prison-reporting/modules/athena_federated_query_connectors/oracle/main.tf b/terraform/environments/digital-prison-reporting/modules/athena_federated_query_connectors/oracle/main.tf
index af539b2e89a..4c46d882ba5 100644
--- a/terraform/environments/digital-prison-reporting/modules/athena_federated_query_connectors/oracle/main.tf
+++ b/terraform/environments/digital-prison-reporting/modules/athena_federated_query_connectors/oracle/main.tf
@@ -1,3 +1,5 @@
+# tflint-ignore-file: terraform_required_version, terraform_required_providers
+
 locals {
   default_connection = { "default" = values(var.connection_strings)[0] }
   # Transform connection_strings to the format required by the connector environment properties and add a default
@@ -5,6 +7,7 @@ locals {
 }
 
 resource "aws_security_group" "athena_federated_query_lambda_sg" {
+  #checkov:skip=CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
   name_prefix = "${var.project_prefix}-athena-federated-query-lambda-security-group"
   description = "Athena Federated Query Oracle Lambda Security Group"
   vpc_id      = var.vpc_id
@@ -39,6 +42,9 @@ resource "aws_security_group" "athena_federated_query_lambda_sg" {
 }
 
 resource "aws_lambda_function" "athena_federated_query_oracle_lambda" {
+  #checkov:skip=CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
+  #checkov:skip=CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
+
   function_name                  = "${var.project_prefix}-athena-federated-query-oracle-function"
   role                           = aws_iam_role.athena_federated_query_lambda_execution_role.arn
   handler                        = "com.amazonaws.athena.connectors.oracle.OracleMuxCompositeHandler"
diff --git a/terraform/environments/digital-prison-reporting/modules/athena_federated_query_connectors/oracle/versions.tf b/terraform/environments/digital-prison-reporting/modules/athena_federated_query_connectors/oracle/versions.tf
new file mode 100644
index 00000000000..ea265eb2f9b
--- /dev/null
+++ b/terraform/environments/digital-prison-reporting/modules/athena_federated_query_connectors/oracle/versions.tf
@@ -0,0 +1,10 @@
+terraform {
+  required_providers {
+    aws = {
+      version = "~> 5.0"
+      source  = "hashicorp/aws"
+    }
+
+  }
+  required_version = "~> 1.0"
+}
diff --git a/terraform/environments/digital-prison-reporting/modules/compute_node/main.tf b/terraform/environments/digital-prison-reporting/modules/compute_node/main.tf
index 34f0afb7080..33d02f6be7a 100644
--- a/terraform/environments/digital-prison-reporting/modules/compute_node/main.tf
+++ b/terraform/environments/digital-prison-reporting/modules/compute_node/main.tf
@@ -46,6 +46,7 @@ resource "aws_security_group_rule" "ingress_traffic" {
 
 # Needs revision for Egress after POC
 resource "aws_security_group_rule" "egress_traffic" {
+  #checkov:skip=CKV_AWS_23: "Ensure every security group and rule has a description"
   count = var.enable_compute_node ? 1 : 0
 
   security_group_id = aws_security_group.ec2_sec_group[0].id
diff --git a/terraform/environments/digital-prison-reporting/modules/dms/iam.tf b/terraform/environments/digital-prison-reporting/modules/dms/iam.tf
index 7a952af8b47..40fba7047f6 100644
--- a/terraform/environments/digital-prison-reporting/modules/dms/iam.tf
+++ b/terraform/environments/digital-prison-reporting/modules/dms/iam.tf
@@ -21,6 +21,15 @@ EOF
 
 # Attach s3 target operation policy to the role
 resource "aws_iam_policy" "dms-s3-target-policy" {
+  #checkov:skip=CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
+  #checkov:skip=CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
+  #checkov:skip=CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
+  #checkov:skip=CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
+  #checkov:skip=CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
+  #checkov:skip=CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
+  #checkov:skip=CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
+
+
   name = "dms-${var.short_name}-s3-target-policy"
 
   policy = <<EOF
diff --git a/terraform/environments/digital-prison-reporting/modules/dms/main.tf b/terraform/environments/digital-prison-reporting/modules/dms/main.tf
index 5b3a7f5c663..63263a5d225 100644
--- a/terraform/environments/digital-prison-reporting/modules/dms/main.tf
+++ b/terraform/environments/digital-prison-reporting/modules/dms/main.tf
@@ -1,5 +1,8 @@
 # Create a new DMS replication instance
 resource "aws_dms_replication_instance" "dms-s3-target-instance" {
+#checkov:skip=CKV_AWS_222: "Ensure DMS replication instance gets all minor upgrade automatically"
+#checkov:skip=CKV_AWS_212: "Ensure DMS replication instance is encrypted by KMS using a customer managed Key (CMK)"
+
   count = var.setup_dms_instance ? 1 : 0
 
   allocated_storage            = var.replication_instance_storage
@@ -61,6 +64,9 @@ resource "aws_dms_replication_task" "dms-replication" {
 
 # Create an endpoint for the source database
 resource "aws_dms_endpoint" "dms-s3-target-source" {
+  #checkov:skip=CKV2_AWS_49: "Ensure AWS Database Migration Service endpoints have SSL configured - Will resolve through Spike"
+  #checkov:skip=CKV_AWS_296: "Ensure DMS endpoint uses Customer Managed Key (CMK)"
+  
   count = var.setup_dms_instance ? 1 : 0
 
   database_name = var.source_db_name
@@ -83,6 +89,7 @@ resource "aws_dms_endpoint" "dms-s3-target-source" {
 }
 
 resource "aws_dms_s3_endpoint" "dms-s3-target-endpoint" {
+  #checkov:skip=CKV_AWS_298: "Ensure DMS S3 uses Customer Managed Key (CMK)"
   count = var.setup_dms_instance ? 1 : 0
 
   endpoint_id                      = "${var.project_id}-dms-${var.short_name}-s3-target"
@@ -117,6 +124,9 @@ resource "aws_dms_replication_subnet_group" "dms-s3-target-subnet-group" {
 
 # Security Groups
 resource "aws_security_group" "dms_s3_target_sec_group" {
+  #checkov:skip=CKV2_AWS_5
+  #checkov:skip=CKV_AWS_23: "Ensure every security group and rule has a description"
+
   count = var.setup_dms_instance ? 1 : 0
 
   name   = "${var.project_id}-dms-s3-target-${var.short_name}-${var.dms_source_name}-${var.dms_target_name}-security-group"
diff --git a/terraform/environments/digital-prison-reporting/modules/dms_dps/iam.tf b/terraform/environments/digital-prison-reporting/modules/dms_dps/iam.tf
index 1bc9ebf56bf..83e025898a6 100644
--- a/terraform/environments/digital-prison-reporting/modules/dms_dps/iam.tf
+++ b/terraform/environments/digital-prison-reporting/modules/dms_dps/iam.tf
@@ -21,6 +21,11 @@ EOF
 
 # Attach an admin policy to the role
 resource "aws_iam_role_policy" "dmskinesispolicy" {
+  #checkov:skip=CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
+  #checkov:skip=CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
+  #checkov:skip=CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
+  #checkov:skip=CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
+
   name = "dms-${var.short_name}-kinesis-policy"
   role = aws_iam_role.dms-kinesis-role.id
 
diff --git a/terraform/environments/digital-prison-reporting/modules/dms_dps/main.tf b/terraform/environments/digital-prison-reporting/modules/dms_dps/main.tf
index 0944464c8a1..0512383efb7 100644
--- a/terraform/environments/digital-prison-reporting/modules/dms_dps/main.tf
+++ b/terraform/environments/digital-prison-reporting/modules/dms_dps/main.tf
@@ -61,6 +61,8 @@ resource "aws_dms_replication_task" "dms-replication" {
 
 # Create an endpoint for the source database
 resource "aws_dms_endpoint" "source" {
+  #checkov:skip=CKV2_AWS_49: "Ensure AWS Database Migration Service endpoints have SSL configured - Will resolve through Spike"
+
   count = var.setup_dms_instance ? 1 : 0
 
   database_name = var.source_db_name
@@ -84,6 +86,8 @@ resource "aws_dms_endpoint" "source" {
 
 # Create an endpoint for the target Kinesis
 resource "aws_dms_endpoint" "target" {
+  #checkov:skip=CKV2_AWS_49: "Ensure AWS Database Migration Service endpoints have SSL configured - Will resolve through Spike"
+  
   count = var.setup_dms_instance ? 1 : 0
 
   endpoint_id   = "${var.project_id}-dms-${var.short_name}-${var.dms_target_name}-target"
diff --git a/terraform/environments/digital-prison-reporting/modules/dms_s3_v2/main.tf b/terraform/environments/digital-prison-reporting/modules/dms_s3_v2/main.tf
index 386a5e587b6..17215c6eb06 100644
--- a/terraform/environments/digital-prison-reporting/modules/dms_s3_v2/main.tf
+++ b/terraform/environments/digital-prison-reporting/modules/dms_s3_v2/main.tf
@@ -1,5 +1,7 @@
 ### DMS replication instance log group
 resource "aws_cloudwatch_log_group" "dms-instance-log-group" {
+  #checkov:skip=CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS, Skipping for Timebeing in view of Cost Savings”
+
   count = var.setup_dms_instance ? 1 : 0
   name  = "dms-tasks-${var.name}-instance-${var.env}"
 
@@ -112,6 +114,8 @@ resource "aws_dms_replication_task" "dms-replication" {
 ### DMS Endpoints
 # Create an endpoint for the source database
 resource "aws_dms_endpoint" "dms-s3-target-source" {
+  #checkov:skip=CKV2_AWS_49: "Ensure AWS Database Migration Service endpoints have SSL configured - Will resolve through Spike"
+  
   count = var.setup_dms_endpoints && var.setup_dms_source_endpoint ? 1 : 0
 
   database_name = var.source_db_name
diff --git a/terraform/environments/digital-prison-reporting/modules/domains/dms-task/outputs.tf b/terraform/environments/digital-prison-reporting/modules/domains/dms-task/outputs.tf
index 868ec7e79a1..1809c0374a4 100644
--- a/terraform/environments/digital-prison-reporting/modules/domains/dms-task/outputs.tf
+++ b/terraform/environments/digital-prison-reporting/modules/domains/dms-task/outputs.tf
@@ -8,4 +8,4 @@ output "dms_replication_task_arn" {
 
 output "replication_task_id" {
   value = var.enable_replication_task ? module.dms_task.replication_task_id : ""
-}
\ No newline at end of file
+} 
\ No newline at end of file
diff --git a/terraform/environments/digital-prison-reporting/modules/domains/ingestion-jobs/glue.tf b/terraform/environments/digital-prison-reporting/modules/domains/ingestion-jobs/glue.tf
index f305be1d309..0884df80829 100644
--- a/terraform/environments/digital-prison-reporting/modules/domains/ingestion-jobs/glue.tf
+++ b/terraform/environments/digital-prison-reporting/modules/domains/ingestion-jobs/glue.tf
@@ -21,6 +21,7 @@ module "glue_reporting_hub_cdc_job" {
   worker_type                   = var.glue_cdc_job_worker_type
   number_of_workers             = var.glue_cdc_job_num_workers
   max_concurrent                = var.glue_cdc_max_concurrent
+  maintenance_window            = var.glue_cdc_maintenance_window
   region                        = var.account_region
   account                       = var.account_id
   log_group_retention_in_days   = var.glue_log_group_retention_in_days
diff --git a/terraform/environments/digital-prison-reporting/modules/domains/ingestion-jobs/variables.tf b/terraform/environments/digital-prison-reporting/modules/domains/ingestion-jobs/variables.tf
index 5253b24fc6f..29bc628f0c6 100644
--- a/terraform/environments/digital-prison-reporting/modules/domains/ingestion-jobs/variables.tf
+++ b/terraform/environments/digital-prison-reporting/modules/domains/ingestion-jobs/variables.tf
@@ -267,6 +267,11 @@ variable "glue_cdc_max_concurrent" {
   description = "(Optional) The maximum number of concurrent runs allowed for a job."
 }
 
+variable "glue_cdc_maintenance_window" {
+  type        = string
+  description = "The maintenance window during which the glue job will be restarted"
+}
+
 variable "glue_cdc_create_role" {
   type        = bool
   default     = false
diff --git a/terraform/environments/digital-prison-reporting/modules/domains/ingestion-pipeline/pipeline.tf b/terraform/environments/digital-prison-reporting/modules/domains/ingestion-pipeline/pipeline.tf
index 8c77cf136e9..21cdc8ed4d9 100644
--- a/terraform/environments/digital-prison-reporting/modules/domains/ingestion-pipeline/pipeline.tf
+++ b/terraform/environments/digital-prison-reporting/modules/domains/ingestion-pipeline/pipeline.tf
@@ -23,8 +23,65 @@ module "data_ingestion_pipeline" {
   definition = jsonencode(
     {
       "Comment" : "Data Ingestion Pipeline Step Function",
-      "StartAt" : "Start DMS Replication Task",
+      "StartAt" : "Deactivate Archive Trigger",
       "States" : {
+        "Deactivate Archive Trigger" : {
+          "Type" : "Task",
+          "Resource" : "arn:aws:states:::glue:startJobRun.sync",
+          "Parameters" : {
+            "JobName" : var.glue_trigger_activation_job,
+            "Arguments" : {
+              "--dpr.glue.trigger.name" : var.archive_job_trigger_name,
+              "--dpr.glue.trigger.activate" : "false"
+            }
+          },
+          "Next" : "Stop Archive Job"
+        },
+        "Stop Archive Job" : {
+          "Type" : "Task",
+          "Resource" : "arn:aws:states:::glue:startJobRun.sync",
+          "Parameters" : {
+            "JobName" : var.glue_stop_glue_instance_job,
+            "Arguments" : {
+              "--dpr.stop.glue.instance.job.name" : var.glue_archive_job
+            }
+          },
+          "Next" : "Stop DMS Replication Task"
+        },
+        "Stop DMS Replication Task" : {
+          "Type" : "Task",
+          "Resource" : "arn:aws:states:::glue:startJobRun.sync",
+          "Parameters" : {
+            "JobName" : var.stop_dms_task_job,
+            "Arguments" : {
+              "--dpr.dms.replication.task.id" : var.replication_task_id
+            }
+          },
+          "Next" : "Stop Glue Streaming Job"
+        },
+        "Stop Glue Streaming Job" : {
+          "Type" : "Task",
+          "Resource" : "arn:aws:states:::glue:startJobRun.sync",
+          "Parameters" : {
+            "JobName" : var.glue_stop_glue_instance_job,
+            "Arguments" : {
+              "--dpr.stop.glue.instance.job.name" : var.glue_reporting_hub_cdc_jobname
+            }
+          },
+          "Next" : "Empty All Data"
+        },
+        "Empty All Data" : {
+          "Type" : "Task",
+          "Resource" : "arn:aws:states:::glue:startJobRun.sync",
+          "Parameters" : {
+            "JobName" : var.glue_s3_data_deletion_job,
+            "Arguments" : {
+              "--dpr.file.deletion.buckets" : "${var.s3_raw_bucket_id},${var.s3_raw_archive_bucket_id},${var.s3_structured_bucket_id},${var.s3_curated_bucket_id},${var.s3_temp_reload_bucket_id}",
+              "--dpr.config.key" : var.domain
+            }
+          },
+          "Next" : "Start DMS Replication Task"
+        },
         "Start DMS Replication Task" : {
           "Type" : "Task",
           "Resource" : "arn:aws:states:::aws-sdk:databasemigration:startReplicationTask",
@@ -120,6 +177,18 @@ module "data_ingestion_pipeline" {
               "--dpr.config.key" : var.domain
             }
           },
+          "Next" : "Reactivate Archive Trigger"
+        },
+        "Reactivate Archive Trigger" : {
+          "Type" : "Task",
+          "Resource" : "arn:aws:states:::glue:startJobRun.sync",
+          "Parameters" : {
+            "JobName" : var.glue_trigger_activation_job,
+            "Arguments" : {
+              "--dpr.glue.trigger.name" : var.archive_job_trigger_name,
+              "--dpr.glue.trigger.activate" : "true"
+            }
+          },
           "End" : true
         }
       }
diff --git a/terraform/environments/digital-prison-reporting/modules/domains/ingestion-pipeline/variables.tf b/terraform/environments/digital-prison-reporting/modules/domains/ingestion-pipeline/variables.tf
index ed511865a64..3e54df4a7a1 100644
--- a/terraform/environments/digital-prison-reporting/modules/domains/ingestion-pipeline/variables.tf
+++ b/terraform/environments/digital-prison-reporting/modules/domains/ingestion-pipeline/variables.tf
@@ -23,7 +23,19 @@ variable "pipeline_additional_policies" {
   default     = []
 }
 
-variable "dms_replication_task_arn" {}
+variable "glue_s3_data_deletion_job" {
+  description = "Name of glue job which deletes parquet files from s3 bucket(s)"
+  type        = string
+  default     = ""
+}
+
+variable "dms_replication_task_arn" {
+  type = string
+}
+
+variable "replication_task_id" {
+  type = string
+}
 
 variable "pipeline_notification_lambda_function" {
   description = "Pipeline Notification Lambda Name"
@@ -61,6 +73,54 @@ variable "s3_raw_archive_bucket_id" {
   default     = ""
 }
 
+variable "s3_structured_bucket_id" {
+  description = "S3, Structured Bucket ID"
+  type        = string
+  default     = ""
+}
+
+variable "s3_curated_bucket_id" {
+  description = "S3, Curated Bucket ID"
+  type        = string
+  default     = ""
+}
+
+variable "s3_temp_reload_bucket_id" {
+  description = "S3 Bucket ID for the temporary location to store reload data"
+  type        = string
+  default     = ""
+}
+
+variable "glue_stop_glue_instance_job" {
+  description = "Name of job to stop the current running instance of the streaming job"
+  type        = string
+  default     = ""
+}
+
+variable "stop_dms_task_job" {
+  description = "Name of job to stop a running DMS task"
+  type        = string
+  default     = ""
+}
+
+variable "glue_trigger_activation_job" {
+  description = "Name of job to which activates/deactivates a glue trigger"
+  type        = string
+  default     = ""
+}
+
+variable "archive_job_trigger_name" {
+  description = "Name of the trigger for a glue trigger"
+  type        = string
+  default     = ""
+}
+
+variable "glue_archive_job" {
+  description = "Name of the glue job which archives the raw data"
+  type        = string
+  default     = ""
+}
+
 variable "glue_s3_file_transfer_job" {
   description = "Name of s3 file transfer job"
   type        = string
diff --git a/terraform/environments/digital-prison-reporting/modules/domains/reload-pipeline/pipeline.tf b/terraform/environments/digital-prison-reporting/modules/domains/reload-pipeline/pipeline.tf
index 7294b188c97..ba529eed42e 100644
--- a/terraform/environments/digital-prison-reporting/modules/domains/reload-pipeline/pipeline.tf
+++ b/terraform/environments/digital-prison-reporting/modules/domains/reload-pipeline/pipeline.tf
@@ -134,15 +134,15 @@ module "reload_pipeline" {
               "--dpr.config.key" : var.domain
             }
           },
-          "Next" : "Empty Structured and Curated Data"
+          "Next" : "Empty Raw, Structured and Curated Data"
         },
-        "Empty Structured and Curated Data" : {
+        "Empty Raw, Structured and Curated Data" : {
           "Type" : "Task",
           "Resource" : "arn:aws:states:::glue:startJobRun.sync",
           "Parameters" : {
             "JobName" : var.glue_s3_data_deletion_job,
             "Arguments" : {
-              "--dpr.file.deletion.buckets" : "${var.s3_structured_bucket_id},${var.s3_curated_bucket_id}",
+              "--dpr.file.deletion.buckets" : "${var.s3_raw_bucket_id},${var.s3_structured_bucket_id},${var.s3_curated_bucket_id}",
               "--dpr.config.key" : var.domain
             }
           },
diff --git a/terraform/environments/digital-prison-reporting/modules/glue_job/main.tf b/terraform/environments/digital-prison-reporting/modules/glue_job/main.tf
index 9649ee40019..c78e0e9a639 100644
--- a/terraform/environments/digital-prison-reporting/modules/glue_job/main.tf
+++ b/terraform/environments/digital-prison-reporting/modules/glue_job/main.tf
@@ -35,6 +35,7 @@ resource "aws_glue_job" "glue_job" {
   worker_type            = var.worker_type
   number_of_workers      = var.number_of_workers
   execution_class        = var.execution_class
+  maintenance_window     = var.maintenance_window
   tags                   = local.tags
 
   command {
@@ -199,6 +200,8 @@ resource "aws_iam_role_policy_attachment" "glue_policies" {
 }
 
 resource "aws_cloudwatch_log_group" "job" {
+  #checkov:skip=CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS, Skipping for Timebeing in view of Cost Savings”
+
   count = var.create_job ? 1 : 0
 
   name              = "/aws-glue/jobs/${var.name}"
@@ -207,6 +210,8 @@ resource "aws_cloudwatch_log_group" "job" {
 }
 
 resource "aws_cloudwatch_log_group" "sec_config" {
+  #checkov:skip=CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS, Skipping for Timebeing in view of Cost Savings”
+
   count = var.create_job ? 1 : 0
 
   name              = "/aws-glue/jobs/${var.short_name}-sec-config"
@@ -215,6 +220,8 @@ resource "aws_cloudwatch_log_group" "sec_config" {
 }
 
 resource "aws_cloudwatch_log_group" "sec_config_error" {
+  #checkov:skip=CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS, Skipping for Timebeing in view of Cost Savings”
+
   count = var.create_job ? 1 : 0
 
   name              = "/aws-glue/jobs/${var.short_name}-sec-config-role/${var.name}-glue-role/error"
@@ -223,6 +230,8 @@ resource "aws_cloudwatch_log_group" "sec_config_error" {
 }
 
 resource "aws_cloudwatch_log_group" "sec_config_output" {
+  #checkov:skip=CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS, Skipping for Timebeing in view of Cost Savings”
+
   count = var.create_job ? 1 : 0
 
   name              = "/aws-glue/jobs/${var.short_name}-sec-config-role/${var.name}-glue-role/output"
@@ -232,6 +241,8 @@ resource "aws_cloudwatch_log_group" "sec_config_output" {
 
 
 resource "aws_cloudwatch_log_group" "continuous_log" {
+  #checkov:skip=CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS, Skipping for Timebeing in view of Cost Savings”
+  
   count = var.create_job ? 1 : 0
 
   name              = "/aws-glue/jobs/${var.name}-${var.short_name}-sec-config"
diff --git a/terraform/environments/digital-prison-reporting/modules/glue_job/variables.tf b/terraform/environments/digital-prison-reporting/modules/glue_job/variables.tf
index aee3bc83b51..d1950cd5c62 100644
--- a/terraform/environments/digital-prison-reporting/modules/glue_job/variables.tf
+++ b/terraform/environments/digital-prison-reporting/modules/glue_job/variables.tf
@@ -198,6 +198,12 @@ variable "number_of_workers" {
   description = "(Optional) The number of workers of a defined workerType that are allocated when a job runs."
 }
 
+variable "maintenance_window" {
+  type        = string
+  default     = null
+  description = "(Optional) The maintenance window during which the glue job will be restarted"
+}
+
 
 variable "security_configuration" {
   type        = string
diff --git a/terraform/environments/digital-prison-reporting/modules/lambdas/generic/main.tf b/terraform/environments/digital-prison-reporting/modules/lambdas/generic/main.tf
index e26a3d593d7..1cf3d7954ed 100644
--- a/terraform/environments/digital-prison-reporting/modules/lambdas/generic/main.tf
+++ b/terraform/environments/digital-prison-reporting/modules/lambdas/generic/main.tf
@@ -1,4 +1,6 @@
 resource "aws_cloudwatch_log_group" "this" {
+  #checkov:skip=CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS, Skipping for Timebeing in view of Cost Savings”
+  
   count = var.enable_lambda ? 1 : 0
   name  = "/aws/lambda/${var.name}-function"
 
diff --git a/terraform/environments/digital-prison-reporting/modules/rds/aws-aurora/main.tf b/terraform/environments/digital-prison-reporting/modules/rds/aws-aurora/main.tf
index d7d4d9d5645..d563f53f880 100644
--- a/terraform/environments/digital-prison-reporting/modules/rds/aws-aurora/main.tf
+++ b/terraform/environments/digital-prison-reporting/modules/rds/aws-aurora/main.tf
@@ -37,6 +37,8 @@ resource "aws_db_subnet_group" "this" {
 ################################################################################
 
 resource "aws_rds_cluster" "this" {
+  #checkov:skip=CKV2_AWS_8: "Ignore - Ensure that RDS clusters has backup plan of AWS Backup"
+  #checkov:skip=CKV2_AWS_27: "Ignore - Ensure Postgres RDS as aws_rds_cluster has Query Logging enabled"
   count = local.create ? 1 : 0
 
   allocated_storage                   = var.allocated_storage
@@ -318,6 +320,8 @@ resource "aws_appautoscaling_policy" "this" {
 ################################################################################
 
 resource "aws_security_group" "this" {
+  #checkov:skip=CKV2_AWS_5
+
   count = local.create && var.create_security_group ? 1 : 0
 
   name        = var.security_group_use_name_prefix ? null : local.security_group_name
@@ -414,6 +418,8 @@ resource "aws_db_parameter_group" "this" {
 
 # Log groups will not be created if using a cluster identifier prefix
 resource "aws_cloudwatch_log_group" "this" {
+  #checkov:skip=CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS, Skipping for Timebeing in view of Cost Savings”
+  
   for_each = toset([for log in var.enabled_cloudwatch_logs_exports : log if local.create && var.create_cloudwatch_log_group && !var.cluster_use_name_prefix])
 
   name              = "/aws/rds/cluster/${var.name}/${each.value}"
diff --git a/terraform/environments/digital-prison-reporting/modules/rds/postgres/main.tf b/terraform/environments/digital-prison-reporting/modules/rds/postgres/main.tf
index ab68c91ce95..4cf1ab242f2 100644
--- a/terraform/environments/digital-prison-reporting/modules/rds/postgres/main.tf
+++ b/terraform/environments/digital-prison-reporting/modules/rds/postgres/main.tf
@@ -1,4 +1,6 @@
 resource "aws_secretsmanager_secret" "password" {
+  #checkov:skip=CKV2_AWS_57: “Ignore - Ensure Secrets Manager secrets should have automatic rotation enabled"
+  
   name = "${var.name}-password"
 }
 
@@ -34,6 +36,9 @@ resource "aws_db_subnet_group" "subnets" {
 }
 
 resource "aws_db_instance" "default" {
+  #checkov:skip=CKV2_AWS_30:”Query Logging is not required"
+  #checkov:skip=CKV2_AWS_60: “Ignore -Ensure RDS instance with copy tags to snapshots is enabled"
+  
   count                   = var.enable_rds ? 1 : 0
   identifier              = var.name
   db_name                 = var.db_name
diff --git a/terraform/environments/digital-prison-reporting/modules/redshift/outputs.tf b/terraform/environments/digital-prison-reporting/modules/redshift/outputs.tf
index 6b62a68ff35..6ca61a4d806 100644
--- a/terraform/environments/digital-prison-reporting/modules/redshift/outputs.tf
+++ b/terraform/environments/digital-prison-reporting/modules/redshift/outputs.tf
@@ -224,4 +224,9 @@ output "redshift_master_password" {
 output "redshift_master_user" {
   description = "Master User"
   value       = aws_redshift_cluster.this[0].master_username
+}
+
+output "credential_secret_arn" {
+  description = "ARN of the RedShift cluster's secret containing credentials"
+  value       = aws_secretsmanager_secret.redshift_connection.arn
 }
\ No newline at end of file
diff --git a/terraform/environments/digital-prison-reporting/modules/redshift/secrets.tf b/terraform/environments/digital-prison-reporting/modules/redshift/secrets.tf
index ceef3ba8c2c..167a95f1f58 100644
--- a/terraform/environments/digital-prison-reporting/modules/redshift/secrets.tf
+++ b/terraform/environments/digital-prison-reporting/modules/redshift/secrets.tf
@@ -16,6 +16,8 @@ resource "random_string" "unique_suffix" {
 }
 
 resource "aws_secretsmanager_secret" "redshift_connection" {
+  #checkov:skip=CKV2_AWS_57: “Ignore - Ensure Secrets Manager secrets should have automatic rotation enabled"
+  
   description = "Redshift connect details"
   name        = "${var.project_id}-redshift-secret-${var.env}"
 }
diff --git a/terraform/environments/digital-prison-reporting/modules/s3_bucket/main.tf b/terraform/environments/digital-prison-reporting/modules/s3_bucket/main.tf
index 16a48245d57..15039e8e5d0 100644
--- a/terraform/environments/digital-prison-reporting/modules/s3_bucket/main.tf
+++ b/terraform/environments/digital-prison-reporting/modules/s3_bucket/main.tf
@@ -8,6 +8,8 @@ resource "aws_s3_bucket" "storage" { # TBC "application_tf_state" should be gene
   #checkov:skip=CKV_AWS_18
   #checkov:skip=CKV_AWS_144
   #checkov:skip=CKV2_AWS_6
+  #checkov:skip=CKV_AWS_21:”Not all S3 bucket requires versioning enabaled"
+  
   bucket = var.name
 
   lifecycle {
@@ -48,6 +50,32 @@ resource "aws_s3_bucket_lifecycle_configuration" "lifecycle" {
       storage_class = "STANDARD_IA"
     }
   }
+
+  rule {
+    id     = "${var.name}-reports"
+    status = var.enable_lifecycle_expiration ? "Enabled" : "Disabled"
+
+    filter {
+      prefix = var.expiration_prefix_redshift
+    }
+
+    expiration {
+      days = var.expiration_days
+    }
+  }
+
+  rule {
+    id     = "${var.name}-dpr"
+    status = var.enable_lifecycle_expiration ? "Enabled" : "Disabled"
+
+    filter {
+      prefix = var.expiration_prefix_athena
+    }
+
+    expiration {
+      days = var.expiration_days
+    }
+  }
 }
 
 resource "aws_s3_bucket_server_side_encryption_configuration" "encryption" {
diff --git a/terraform/environments/digital-prison-reporting/modules/s3_bucket/variables.tf b/terraform/environments/digital-prison-reporting/modules/s3_bucket/variables.tf
index d8b4ab376a3..eb0f81d8f5f 100644
--- a/terraform/environments/digital-prison-reporting/modules/s3_bucket/variables.tf
+++ b/terraform/environments/digital-prison-reporting/modules/s3_bucket/variables.tf
@@ -58,6 +58,26 @@ variable "enable_lifecycle" {
   default     = false
 }
 
+variable "enable_lifecycle_expiration" {
+  description = "Enable item expiration - requires 'enable_lifecycle' to be enabled."
+  default     = false
+}
+
+variable "expiration_days" {
+  description = "Days to wait before deleting expired items."
+  default     = 90
+}
+
+variable "expiration_prefix_redshift" {
+  description = "Directory Prefix where Redshift Async query results are stored to apply expiration to."
+  default     = "/"
+}
+
+variable "expiration_prefix_athena" {
+  description = "Directory Prefix where Athena Async query results are stored to apply expiration to."
+  default     = "/"
+}
+
 variable "enable_versioning_config" {
   description = "Enable Versioning Config for S3 Storage, Default is Disabled"
   default     = "Disabled"
diff --git a/terraform/environments/digital-prison-reporting/modules/secrets_manager/main.tf b/terraform/environments/digital-prison-reporting/modules/secrets_manager/main.tf
index 61ab2fa4ed4..2c1784622d0 100644
--- a/terraform/environments/digital-prison-reporting/modules/secrets_manager/main.tf
+++ b/terraform/environments/digital-prison-reporting/modules/secrets_manager/main.tf
@@ -17,6 +17,8 @@ resource "random_password" "random_string" {
 }
 
 resource "aws_secretsmanager_secret" "secret" {
+  #checkov:skip=CKV2_AWS_57: “Ignore - Ensure Secrets Manager secrets should have automatic rotation enabled"
+  
   name                    = var.name == "" ? null : var.name
   name_prefix             = var.name == "" ? var.name_prefix : null
   description             = var.description
diff --git a/terraform/environments/digital-prison-reporting/notifications.tf b/terraform/environments/digital-prison-reporting/notifications.tf
index 8304a2e3476..4d767beaf8b 100644
--- a/terraform/environments/digital-prison-reporting/notifications.tf
+++ b/terraform/environments/digital-prison-reporting/notifications.tf
@@ -40,6 +40,7 @@ module "slack_alerts" {
 
 # PagerDuty notifications
 module "pagerduty_notifications" {
+  #checkov:skip=CKV_TF_1: "Ensure Terraform module sources use a commit hash"
   count = local.enable_pagerduty_alerts ? 1 : 0
 
   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
@@ -114,6 +115,7 @@ locals {
 
 # link the sns topic to the service
 module "pagerduty_core_alerts" {
+  #checkov:skip=CKV_TF_1: "Ensure Terraform module sources use a commit hash"
   depends_on = [
     module.pagerduty_sns
   ]
diff --git a/terraform/environments/digital-prison-reporting/operational_datastore.tf b/terraform/environments/digital-prison-reporting/operational_datastore.tf
index fee40fe6a89..1db6546d282 100644
--- a/terraform/environments/digital-prison-reporting/operational_datastore.tf
+++ b/terraform/environments/digital-prison-reporting/operational_datastore.tf
@@ -44,7 +44,7 @@ module "aurora_operational_db" {
     static = {
       identifier     = "operational-db-static-any-endpoint"
       type           = "ANY"
-      static_members = ["${local.name}"]
+      static_members = [local.name]
       tags           = { Endpoint = "Operational-DB-Any" }
     }
   }
@@ -134,6 +134,8 @@ resource "aws_glue_connection" "glue_operational_datastore_connection" {
 }
 
 resource "aws_security_group" "glue_operational_datastore_connection_sg" {
+  #checkov:skip=CKV2_AWS_5
+  
   name        = "${local.project}-operational-datastore-connection_sg"
   description = "Security group to allow glue access to Operational Datastore via JDBC Connection"
   vpc_id      = data.aws_vpc.shared.id
diff --git a/terraform/environments/digital-prison-reporting/platform_versions.tf b/terraform/environments/digital-prison-reporting/platform_versions.tf
index 16ca3616eb6..5c3d9315e8e 100644
--- a/terraform/environments/digital-prison-reporting/platform_versions.tf
+++ b/terraform/environments/digital-prison-reporting/platform_versions.tf
@@ -12,6 +12,10 @@ terraform {
       source  = "hashicorp/tls"
       version = "4.0.5"
     }
+    random = {
+      version = "~> 3.0"
+      source  = "hashicorp/random"
+    }    
   }
   required_version = "~> 1.0"
 }
diff --git a/terraform/environments/digital-prison-reporting/policy.tf b/terraform/environments/digital-prison-reporting/policy.tf
index 4fb7c8a776e..dc6179e0c8a 100644
--- a/terraform/environments/digital-prison-reporting/policy.tf
+++ b/terraform/environments/digital-prison-reporting/policy.tf
@@ -27,6 +27,7 @@ resource "aws_glue_resource_policy" "glue_policy" {
 }
 
 data "aws_iam_policy_document" "glue-policy-data" {
+  #checkov:skip=CKV_AWS_283: "Ensure no IAM policies documents allow ALL or any AWS principal permissions to the resource"
   statement {
     actions = [
       "glue:CreateTable",
@@ -231,6 +232,8 @@ resource "aws_iam_policy" "dynamodb_access_policy" {
 
 # State Machine Access Policy
 resource "aws_iam_policy" "all_state_machine_policy" {
+  #checkov:skip=CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
+  #checkov:skip=CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
   name = local.all_state_machine_policy
   policy = jsonencode({
     "Version" : "2012-10-17",
@@ -301,6 +304,12 @@ resource "aws_iam_role" "redshift-role" {
 
 # Amazon Redshift supports only identity-based policies (IAM policies).
 data "aws_iam_policy_document" "redshift-additional-policy" {
+  #checkov:skip=CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
+  #checkov:skip=CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
+  #checkov:skip=CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
+  #checkov:skip=CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
+  #checkov:skip=CKV_AWS_110: "Ensure IAM policies does not allow privilege escalation"
+  
   statement {
     actions = [
       "glue:*"
@@ -406,6 +415,8 @@ resource "aws_iam_role" "dmsvpcrole" {
 
 # Attach an admin policy to the role -- Evaluate if this is required
 resource "aws_iam_role_policy" "dmsvpcpolicy" {
+  #checkov:skip=CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
+  #checkov:skip=CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
   name = "dms-vpc-policy"
   role = aws_iam_role.dmsvpcrole.id
 
@@ -461,6 +472,8 @@ resource "aws_iam_role" "redshift-spectrum-role" {
 }
 
 data "aws_iam_policy_document" "redshift_spectrum" {
+  #checkov:skip=CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
+  #checkov:skip=CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
   statement {
     actions = [
       "glue:BatchCreatePartition",
@@ -508,6 +521,9 @@ resource "aws_iam_role_policy_attachment" "redshift_spectrum" {
 
 # Additional policy to allow execution of preview queries.
 data "aws_iam_policy_document" "domain_builder_preview" {
+  #checkov:skip=CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
+  #checkov:skip=CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
+  #checkov:skip=CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
   statement {
     actions = [
       "athena:GetQueryExecution",
@@ -524,12 +540,15 @@ data "aws_iam_policy_document" "domain_builder_preview" {
 }
 
 resource "aws_iam_policy" "domain_builder_preview_policy" {
+  
   name        = "${local.project}-domain-builder-preview-policy"
   description = "Additional policy to allow execution of query previews in Athena"
   policy      = data.aws_iam_policy_document.domain_builder_preview.json
 }
 
 # Additional policy to allow execution of publish requests.
+#checkov:skip=CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
+#checkov:skip=CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
 data "aws_iam_policy_document" "domain_builder_publish" {
   statement {
     actions = [
@@ -735,6 +754,26 @@ resource "aws_iam_policy" "glue_catalog_readonly" {
   policy      = data.aws_iam_policy_document.glue_catalog_readonly.json
 }
 
+# LakeFormation Data Access
+# Policy Document
+
+data "aws_iam_policy_document" "lake_formation_data_access" {
+  statement {
+    actions = [
+      "lakeformation:GetDataAccess"
+    ]
+    resources = [
+      "*"
+    ]
+  }
+}
+
+resource "aws_iam_policy" "lake_formation_data_access" {
+  name        = "${local.project}-lake-formation-data-access"
+  description = "LakeFormation Get Data Access Policy"
+  policy      = data.aws_iam_policy_document.lake_formation_data_access.json
+}
+
 # Analytical Platform Share Policy & Role
 
 data "aws_iam_policy_document" "analytical_platform_share_policy" {
@@ -754,6 +793,7 @@ data "aws_iam_policy_document" "analytical_platform_share_policy" {
 
     ]
     resources = [
+      #checkov:skip=CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
       "arn:aws:lakeformation:${local.current_account_region}:${local.current_account_id}:catalog:${local.current_account_id}"
     ]
   }
diff --git a/terraform/environments/digital-prison-reporting/redshift_table_expiry.tf b/terraform/environments/digital-prison-reporting/redshift_table_expiry.tf
new file mode 100644
index 00000000000..d5083f6fc67
--- /dev/null
+++ b/terraform/environments/digital-prison-reporting/redshift_table_expiry.tf
@@ -0,0 +1,52 @@
+module "redshift_table_expiry_lambda" {
+  source = "./modules/lambdas/generic"
+
+  enable_lambda  = local.lambda_redshift_table_expiry_enabled
+  name           = local.lambda_redshift_table_expiry_name
+  s3_bucket      = local.lambda_redshift_table_expiry_code_s3_bucket
+  s3_key         = local.lambda_redshift_table_expiry_code_s3_key
+  handler        = local.lambda_redshift_table_expiry_handler
+  runtime        = local.lambda_redshift_table_expiry_runtime
+  policies       = local.lambda_redshift_table_expiry_policies
+  tracing        = local.lambda_redshift_table_expiry_tracing
+  timeout        = local.lambda_redshift_table_expiry_timeout_seconds
+  memory_size    = local.lambda_redshift_table_expiry_memory_size
+  lambda_trigger = false
+
+  log_retention_in_days = local.lambda_log_retention_in_days
+
+  env_vars = {
+    "CLUSTER_ID"            = local.lambda_redshift_table_expiry_cluster_id
+    "DB_NAME"               = local.lambda_redshift_table_expiry_database_name
+    "CREDENTIAL_SECRET_ARN" = local.lambda_redshift_table_expiry_secret_arn
+    "EXPIRY_SECONDS"        = local.lambda_redshift_table_expiry_seconds
+  }
+
+  vpc_settings = {
+    subnet_ids         = [data.aws_subnet.data_subnets_a.id, data.aws_subnet.data_subnets_b.id, data.aws_subnet.data_subnets_c.id]
+    security_group_ids = [aws_security_group.lambda_generic[0].id]
+  }
+
+  tags = merge(
+    local.all_tags,
+    {
+      Name           = local.lambda_redshift_table_expiry_name
+      Jira           = "DPR2-991"
+      Resource_Group = "Front-End"
+      Resource_Type  = "lambda"
+    }
+  )
+
+}
+
+module "step_function_notification_lambda_trigger" {
+  source = "./modules/lambda_trigger"
+
+  enable_lambda_trigger = local.lambda_redshift_table_expiry_enabled
+
+  event_name           = local.lambda_redshift_table_expiry_name
+  lambda_function_arn  = module.redshift_table_expiry_lambda.lambda_function
+  lambda_function_name = module.redshift_table_expiry_lambda.lambda_name
+
+  trigger_schedule_expression = local.lambda_redshift_table_expiry_schedule_expression
+}
\ No newline at end of file
diff --git a/terraform/environments/digital-prison-reporting/secrets.tf b/terraform/environments/digital-prison-reporting/secrets.tf
index 734009e8eef..8d3eccb5585 100644
--- a/terraform/environments/digital-prison-reporting/secrets.tf
+++ b/terraform/environments/digital-prison-reporting/secrets.tf
@@ -2,6 +2,9 @@
 
 # Nomis Source Secrets
 resource "aws_secretsmanager_secret" "nomis" {
+  #checkov:skip=CKV2_AWS_57: “Ignore - Ensure Secrets Manager secrets should have automatic rotation enabled"
+  #checkov:skip=CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
+
   name = "external/${local.project}-nomis-source-secrets"
 
   tags = merge(
@@ -26,6 +29,9 @@ resource "aws_secretsmanager_secret_version" "nomis" {
 
 # Nomis Source Secrets
 resource "aws_secretsmanager_secret" "bodmis" {
+  #checkov:skip=CKV2_AWS_57: “Ignore - Ensure Secrets Manager secrets should have automatic rotation enabled"
+  #checkov:skip=CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
+
   name = "external/${local.project}-bodmis-source-secret"
 
   tags = merge(
@@ -51,6 +57,9 @@ resource "aws_secretsmanager_secret_version" "bodmis" {
 # DPS Source Secrets
 # PlaceHolder Secrets
 resource "aws_secretsmanager_secret" "dps" {
+  #checkov:skip=CKV2_AWS_57: “Ignore - Ensure Secrets Manager secrets should have automatic rotation enabled"
+  #checkov:skip=CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
+
   for_each = toset(local.dps_domains_list)
   name     = "external/${local.project}-${each.value}-source-secrets"
 
@@ -79,6 +88,9 @@ resource "aws_secretsmanager_secret_version" "dps" {
 
 # Redshift Access Secrets
 resource "aws_secretsmanager_secret" "redshift" {
+  #checkov:skip=CKV2_AWS_57: “Ignore - Ensure Secrets Manager secrets should have automatic rotation enabled"
+  #checkov:skip=CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
+
   name = "dpr-redshift-sqlworkbench-${local.env}"
 
   recovery_window_in_days = 0
@@ -184,6 +196,9 @@ resource "aws_secretsmanager_secret_version" "biprws" {
 # DPS Source Secrets
 # PlaceHolder Secrets
 resource "aws_secretsmanager_secret" "biprws" {
+  #checkov:skip=CKV2_AWS_57: “Ignore - Ensure Secrets Manager secrets should have automatic rotation enabled"
+  #checkov:skip=CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
+
   count = local.enable_biprws_secrets ? 1 : 0
 
   name = "external/busobj-converter/biprws"
@@ -219,6 +234,9 @@ resource "aws_secretsmanager_secret_version" "cp_k8s_secrets" {
 # DPS Source Secrets
 # PlaceHolder Secrets
 resource "aws_secretsmanager_secret" "cp_k8s_secrets" {
+  #checkov:skip=CKV2_AWS_57: “Ignore - Ensure Secrets Manager secrets should have automatic rotation enabled"
+  #checkov:skip=CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
+
   count = local.enable_cp_k8s_secrets ? 1 : 0
 
   name = "external/cloud_platform/k8s_auth"
@@ -254,6 +272,9 @@ resource "aws_secretsmanager_secret_version" "cp_bodmis_k8s_secrets" {
 # DPS Source Secrets
 # PlaceHolder Secrets
 resource "aws_secretsmanager_secret" "cp_bodmis_k8s_secrets" {
+  #checkov:skip=CKV2_AWS_57: “Ignore - Ensure Secrets Manager secrets should have automatic rotation enabled"
+  #checkov:skip=CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
+
   count = local.enable_cp_bodmis_k8s_secrets ? 1 : 0
 
   name = "external/cloud_platform/bodmis_k8s_auth"
@@ -287,6 +308,9 @@ resource "aws_secretsmanager_secret_version" "dbt_secrets" {
 }
 
 resource "aws_secretsmanager_secret" "dbt_secrets" {
+  #checkov:skip=CKV2_AWS_57: “Ignore - Ensure Secrets Manager secrets should have automatic rotation enabled"
+  #checkov:skip=CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
+  
   count = local.enable_dbt_k8s_secrets ? 1 : 0
 
   name = "external/analytics_platform/k8s_dbt_auth"
@@ -312,6 +336,9 @@ resource "random_password" "operational_db_password" {
 }
 
 resource "aws_secretsmanager_secret" "operational_db_secret" {
+  #checkov:skip=CKV2_AWS_57: “Ignore - Ensure Secrets Manager secrets should have automatic rotation enabled"
+  #checkov:skip=CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
+
   name        = "${local.project}-rds-operational-db-secret"
   description = "Secret for RDS master username and password"
 
@@ -337,6 +364,9 @@ resource "random_password" "transfer_component_role_password" {
 }
 
 resource "aws_secretsmanager_secret" "transfer_component_role_secret" {
+  #checkov:skip=CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
+  #checkov:skip=CKV2_AWS_57: “Ignore - Ensure Secrets Manager secrets should have automatic rotation enabled"
+
   name        = "${local.project}-rds-transfer-component-role-secret"
   description = "Secret for transfer-component-role username and password"
 
diff --git a/terraform/environments/digital-prison-reporting/sg.tf b/terraform/environments/digital-prison-reporting/sg.tf
index f8a925f66e8..911b2215844 100644
--- a/terraform/environments/digital-prison-reporting/sg.tf
+++ b/terraform/environments/digital-prison-reporting/sg.tf
@@ -4,6 +4,8 @@ data "aws_vpc" "dpr" {
 
 ## Lambda Generic SG
 resource "aws_security_group" "lambda_generic" {
+  #checkov:skip=CKV2_AWS_5
+  
   count = local.enable_generic_lambda_sg ? 1 : 0
 
   name_prefix = "${local.generic_lambda}-sg"
@@ -25,6 +27,8 @@ resource "aws_security_group" "lambda_generic" {
 }
 
 resource "aws_security_group_rule" "lambda_ingress_generic" {
+#checkov:skip=CKV_AWS_23: "Ensure every security group and rule has a description"
+
   count = local.enable_generic_lambda_sg ? 1 : 0
 
   cidr_blocks       = [data.aws_vpc.dpr.cidr_block, ]
@@ -49,6 +53,8 @@ resource "aws_security_group_rule" "lambda_egress_generic" {
 
 ## Serverless Lambda GW VPC Link SG
 resource "aws_security_group" "serverless_gw" {
+  #checkov:skip=CKV2_AWS_5
+
   count = local.enable_dbuilder_serverless_gw ? 1 : 0
 
   name_prefix = "${local.serverless_gw_dbuilder_name}-sg"
@@ -69,6 +75,8 @@ resource "aws_security_group" "serverless_gw" {
 }
 
 resource "aws_security_group_rule" "serverless_gw_ingress" {
+  #checkov:skip=CKV_AWS_23: "Ensure every security group and rule has a description"
+
   count = local.enable_dbuilder_serverless_gw ? 1 : 0
 
   type              = "ingress"
@@ -93,6 +101,8 @@ resource "aws_security_group_rule" "serverless_gw_egress" {
 
 # VPC Gateway Endpoint SG
 resource "aws_security_group" "gateway_endpoint_sg" {
+  #checkov:skip=CKV_AWS_23: "Ensure every security group and rule has a description"
+
   count = local.include_dbuilder_gw_vpclink ? 1 : 0
 
   name        = "${local.serverless_gw_dbuilder_name}-sg"
diff --git a/terraform/environments/digital-prison-reporting/temporary_domain_refresh_jobs.tf b/terraform/environments/digital-prison-reporting/temporary_domain_refresh_jobs.tf
index 5c4703e7d8d..a52b3540380 100644
--- a/terraform/environments/digital-prison-reporting/temporary_domain_refresh_jobs.tf
+++ b/terraform/environments/digital-prison-reporting/temporary_domain_refresh_jobs.tf
@@ -124,6 +124,8 @@ module "glue_temp_refresh_job_establishment_living_unit" {
 
 # Glue Job, Domain Refresh movements/movements
 module "glue_temp_refresh_job_movements_movements" {
+  #checkov:skip=CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS, Skipping for Timebeing in view of Cost Savings"
+  
   source                 = "./modules/glue_job"
   create_job             = local.create_job
   name                   = local.domain_refresh_movements_movements
diff --git a/terraform/environments/electronic-monitoring-data/lambdas_iam.tf b/terraform/environments/electronic-monitoring-data/lambdas_iam.tf
index 819d92ba892..8de9f1c521f 100644
--- a/terraform/environments/electronic-monitoring-data/lambdas_iam.tf
+++ b/terraform/environments/electronic-monitoring-data/lambdas_iam.tf
@@ -567,3 +567,102 @@ resource "aws_iam_role_policy_attachment" "load_json_table_lambda_sqs_queue_acce
   role       = aws_iam_role.load_json_table.name
   policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaSQSQueueExecutionRole"
 }
+
+
+# ------------------------------------------
+# unzip fip
+# ------------------------------------------
+
+resource "aws_iam_role" "unzip_single_file" {
+  name               = "unzip_single_file"
+  assume_role_policy = data.aws_iam_policy_document.lambda_assume_role.json
+}
+
+data "aws_iam_policy_document" "place_unzipped_file_s3_policy_document" {
+  statement {
+    sid    = "S3PermissionsForDumpingUnzippedFile"
+    effect = "Allow"
+    actions = [
+      "s3:PutObject",
+      "s3:DeleteObject",
+      "s3:ListBucket",
+      "s3:GetBucketLocation"
+    ]
+    resources = [
+      "${module.unzipped-s3-data-store.bucket.arn}/*",
+      module.unzipped-s3-data-store.bucket.arn,
+    ]
+  }
+}
+
+data "aws_iam_policy_document" "get_zip_file_s3_policy_document" {
+  statement {
+    sid    = "S3PermissionsForGettingZipFile"
+    effect = "Allow"
+    actions = [
+      "s3:GetObject",
+      "s3:GetObjectAttributes",
+    ]
+    resources = [
+      "${aws_s3_bucket.data_store.arn}/*.zip",
+    ]
+  }
+}
+
+data "aws_iam_policy_document" "list_data_store_bucket_s3_policy_document" {
+  statement {
+    sid    = "S3PermissionsForListingDataStore"
+    effect = "Allow"
+    actions = [
+      "s3:ListBucket",
+      "s3:GetBucketLocation",
+    ]
+    resources = [
+      aws_s3_bucket.data_store.arn,
+    ]
+  }
+}
+
+resource "aws_iam_policy" "get_zip_file_s3" {
+  name        = "get-zip-file-s3-policy"
+  description = "Policy for Lambda to get zip file from S3"
+  policy      = data.aws_iam_policy_document.get_zip_file_s3_policy_document.json
+}
+
+resource "aws_iam_role_policy_attachment" "get_zip_file_s3_policy_policy_attachment" {
+  role       = aws_iam_role.unzip_single_file.name
+  policy_arn = aws_iam_policy.get_zip_file_s3.arn
+}
+
+resource "aws_iam_policy" "list_data_store_bucket" {
+  name        = "list-data-store-bucket-policy"
+  description = "Policy for Lambda to list the data store S3 bucket"
+  policy      = data.aws_iam_policy_document.list_data_store_bucket_s3_policy_document.json
+}
+
+resource "aws_iam_role_policy_attachment" "list_data_store_bucket_policy_policy_attachment" {
+  role       = aws_iam_role.unzip_single_file.name
+  policy_arn = aws_iam_policy.list_data_store_bucket.arn
+}
+
+
+resource "aws_iam_policy" "place_unzip_single_file" {
+  name        = "place-unzip-single-file-s3-policy"
+  description = "Policy for Lambda to use S3 for lambda"
+  policy      = data.aws_iam_policy_document.place_unzipped_file_s3_policy_document.json
+}
+
+resource "aws_iam_role_policy_attachment" "place_unzip_single_file_s3_policy_policy_attachment" {
+  role       = aws_iam_role.unzip_single_file.name
+  policy_arn = aws_iam_policy.place_unzip_single_file.arn
+}
+
+resource "aws_iam_role_policy_attachment" "unzip_single_file_vpc_access_execution" {
+  role       = aws_iam_role.unzip_single_file.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
+}
+
+resource "aws_iam_role_policy_attachment" "unzip_single_file_lambda_sqs_queue_access_execution" {
+  role       = aws_iam_role.unzip_single_file.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaSQSQueueExecutionRole"
+}
diff --git a/terraform/environments/electronic-monitoring-data/lambdas_main.tf b/terraform/environments/electronic-monitoring-data/lambdas_main.tf
index f412a6572c0..c1239b3f6ff 100644
--- a/terraform/environments/electronic-monitoring-data/lambdas_main.tf
+++ b/terraform/environments/electronic-monitoring-data/lambdas_main.tf
@@ -261,9 +261,9 @@ module "output_file_structure_as_json_from_zip" {
 # Load data from S3 to Athena
 #-----------------------------------------------------------------------------------
 
-module "load_json_table" {
+module "load_unstructured_structure" {
   source                  = "./modules/lambdas"
-  function_name           = "load_json_table"
+  function_name           = "load_unstructured_structure"
   is_image                = true
   role_name               = aws_iam_role.load_json_table.name
   role_arn                = aws_iam_role.load_json_table.arn
@@ -276,9 +276,47 @@ module "load_json_table" {
     DLT_PROJECT_DIR : "/tmp"
     DLT_DATA_DIR : "/tmp"
     DLT_PIPELINE_DIR : "/tmp"
-    BUCKET_URI                               = "s3://${module.json-directory-structure-bucket.bucket.id}"
-    STANDARD_FILESYSTEM__QUERY_RESULT_BUCKET = "s3://${module.athena-s3-bucket.bucket.id}/output"
-    SCHEMA_PATH                              = "s3://${module.metadata-s3-bucket.bucket.id}/dlt_schemas"
+    JSON_BUCKET_NAME        = module.json-directory-structure-bucket.bucket.id
+    ATHENA_DUMP_BUCKET_NAME = module.athena-s3-bucket.bucket.id
   }
 }
 
+
+#-----------------------------------------------------------------------------------
+# Load json data from S3 to Athena
+#-----------------------------------------------------------------------------------
+
+module "load_g4s_atrium_unstructured" {
+  source                  = "./modules/unzipped_structure_extract"
+  iam_role                = aws_iam_role.load_json_table
+  memory_size             = 2048
+  timeout                 = 900
+  function_tag            = "v0.0.0-605c1f8"
+  dataset_name            = "g4s_atrium_unstructured"
+  env_account_id          = local.env_account_id
+  core_shared_services_id = local.environment_management.account_ids["core-shared-services-production"]
+  production_dev          = local.is-production ? "prod" : "dev"
+  json_bucket_name        = module.json-directory-structure-bucket.bucket.id
+  athena_bucket_name      = module.athena-s3-bucket.bucket.id
+}
+
+#-----------------------------------------------------------------------------------
+# Unzip single file
+#-----------------------------------------------------------------------------------
+
+module "unzip_single_file" {
+  source                  = "./modules/lambdas"
+  function_name           = "unzip_single_file"
+  is_image                = true
+  role_name               = aws_iam_role.unzip_single_file.name
+  role_arn                = aws_iam_role.unzip_single_file.arn
+  memory_size             = 2048
+  timeout                 = 900
+  env_account_id          = local.env_account_id
+  core_shared_services_id = local.environment_management.account_ids["core-shared-services-production"]
+  production_dev          = local.is-production ? "prod" : "dev"
+  environment_variables = {
+    BUCKET_NAME = aws_s3_bucket.data_store.id
+    EXPORT_BUCKET_NAME = module.unzipped-s3-data-store.bucket.id
+  }
+}
diff --git a/terraform/environments/electronic-monitoring-data/modules/lambdas/main.tf b/terraform/environments/electronic-monitoring-data/modules/lambdas/main.tf
index 88438ca62d8..d0dd4cf286f 100644
--- a/terraform/environments/electronic-monitoring-data/modules/lambdas/main.tf
+++ b/terraform/environments/electronic-monitoring-data/modules/lambdas/main.tf
@@ -1,5 +1,6 @@
 locals {
   use_vpc_config = !(var.security_group_ids == null || var.subnet_ids == null)
+  function_uri   = var.function_tag != null ? var.function_tag : (var.is_image ? "${var.function_name}-${var.production_dev}" : "")
 }
 
 resource "aws_sqs_queue" "lambda_dlq" {
@@ -137,7 +138,7 @@ resource "aws_lambda_function" "this" {
   source_code_hash = var.is_image ? null : var.source_code_hash
   runtime          = var.is_image ? null : var.runtime
   # Image config
-  image_uri    = var.is_image ? "${var.core_shared_services_id}.dkr.ecr.eu-west-2.amazonaws.com/electronic-monitoring-data-lambdas:${var.function_name}-${var.production_dev}" : null
+  image_uri    = var.is_image ? "${var.core_shared_services_id}.dkr.ecr.eu-west-2.amazonaws.com/${var.ecr_repo_name}:${local.function_uri}" : null
   package_type = var.is_image ? "Image" : null
   # Constants
   function_name = var.function_name
diff --git a/terraform/environments/electronic-monitoring-data/modules/lambdas/variables.tf b/terraform/environments/electronic-monitoring-data/modules/lambdas/variables.tf
index 70686a0c646..a18a3100208 100644
--- a/terraform/environments/electronic-monitoring-data/modules/lambdas/variables.tf
+++ b/terraform/environments/electronic-monitoring-data/modules/lambdas/variables.tf
@@ -110,4 +110,18 @@ variable "production_dev" {
   type        = string
   nullable    = true
   default     = null
+}
+
+variable "ecr_repo_name" {
+  description = "ECR repo in shared services acc"
+  type        = string
+  nullable    = false
+  default     = "electronic-monitoring-data-lambdas"
+}
+
+variable "function_tag" {
+  description = "Custom tag in ECR repo"
+  type        = string
+  nullable    = true
+  default     = null
 }
\ No newline at end of file
diff --git a/terraform/environments/electronic-monitoring-data/modules/unzipped_structure_extract/main.tf b/terraform/environments/electronic-monitoring-data/modules/unzipped_structure_extract/main.tf
new file mode 100644
index 00000000000..8baca023d1b
--- /dev/null
+++ b/terraform/environments/electronic-monitoring-data/modules/unzipped_structure_extract/main.tf
@@ -0,0 +1,32 @@
+locals {
+  dataset_name_parts = split("_", var.dataset_name)
+  SUPPLIER_NAME      = local.dataset_name_parts[0]
+  SYSTEM_NAME        = join("_", slice(local.dataset_name_parts, 1, length(local.dataset_name_parts)))
+}
+
+module "this" {
+  source                  = "../lambdas"
+  function_name           = "load_${var.dataset_name}"
+  is_image                = true
+  role_name               = var.iam_role.name
+  role_arn                = var.iam_role.arn
+  memory_size             = var.memory_size
+  timeout                 = var.timeout
+  env_account_id          = var.env_account_id
+  core_shared_services_id = var.core_shared_services_id
+  production_dev          = var.production_dev
+  ecr_repo_name           = "create-a-data-task"
+  function_tag            = var.function_tag
+  environment_variables = {
+    DLT_PROJECT_DIR : "/tmp"
+    DLT_DATA_DIR : "/tmp"
+    DLT_PIPELINE_DIR : "/tmp"
+    JSON_BUCKET_NAME                         = var.json_bucket_name
+    STANDARD_FILESYSTEM__QUERY_RESULT_BUCKET = "s3://${var.athena_bucket_name}/output"
+    ATHENA_DUMP_BUCKET_NAME                  = var.athena_bucket_name
+    pipeline_name                            = var.dataset_name
+    environment                              = var.production_dev
+    SUPPLIER_NAME                            = local.SUPPLIER_NAME
+    SYSTEM_NAME                              = local.SYSTEM_NAME
+  }
+}
diff --git a/terraform/environments/electronic-monitoring-data/modules/unzipped_structure_extract/output.tf b/terraform/environments/electronic-monitoring-data/modules/unzipped_structure_extract/output.tf
new file mode 100644
index 00000000000..62535b2acfc
--- /dev/null
+++ b/terraform/environments/electronic-monitoring-data/modules/unzipped_structure_extract/output.tf
@@ -0,0 +1,11 @@
+output "lambda_function_name" {
+  value = module.this.lambda_function_name
+}
+
+output "lambda_function_arn" {
+  value = module.this.lambda_function_arn
+}
+
+output "lambda_function_invoke_arn" {
+  value = module.this.lambda_function_invoke_arn
+}
\ No newline at end of file
diff --git a/terraform/environments/electronic-monitoring-data/modules/unzipped_structure_extract/variables.tf b/terraform/environments/electronic-monitoring-data/modules/unzipped_structure_extract/variables.tf
new file mode 100644
index 00000000000..25a0c14860a
--- /dev/null
+++ b/terraform/environments/electronic-monitoring-data/modules/unzipped_structure_extract/variables.tf
@@ -0,0 +1,60 @@
+variable "dataset_name" {
+  type     = string
+  nullable = false
+}
+
+variable "iam_role" {
+  type = object({
+    name = string
+    arn  = string
+    id   = string
+  })
+  nullable = false
+}
+
+variable "memory_size" {
+  type     = number
+  nullable = false
+  default  = 240
+}
+variable "timeout" {
+  type     = number
+  nullable = false
+  default  = 60
+}
+variable "function_tag" {
+  type     = string
+  nullable = false
+  default  = "v0.0.0-884806f"
+}
+
+variable "env_account_id" {
+  description = "The account number of the aws account"
+  type        = number
+}
+
+variable "core_shared_services_id" {
+  description = "The account number of the core shared services account"
+  type        = number
+  default     = null
+  nullable    = true
+}
+
+variable "production_dev" {
+  description = "The environment the lambda is being deployed to"
+  type        = string
+  nullable    = true
+  default     = null
+}
+
+variable "json_bucket_name" {
+  description = "The bucket to pull json structure from"
+  type        = string
+  nullable    = false
+}
+
+variable "athena_bucket_name" {
+  description = "Bucket to dump query output into"
+  type        = string
+  nullable    = false
+}
\ No newline at end of file
diff --git a/terraform/environments/hmpps-domain-services/locals.tf b/terraform/environments/hmpps-domain-services/locals.tf
index 65aef61dfaf..d6e5ed777f9 100644
--- a/terraform/environments/hmpps-domain-services/locals.tf
+++ b/terraform/environments/hmpps-domain-services/locals.tf
@@ -25,7 +25,7 @@ locals {
         "ec2",
         "ec2_windows",
       ]
-      cloudwatch_metric_alarms_default_actions   = ["hmpps_domain_services_pagerduty"]
+      cloudwatch_metric_alarms_default_actions   = ["pagerduty"]
       cloudwatch_metric_oam_links_ssm_parameters = ["hmpps-oem-${local.environment}"]
       cloudwatch_metric_oam_links                = ["hmpps-oem-${local.environment}"]
       enable_backup_plan_daily_and_weekly        = true
diff --git a/terraform/environments/hmpps-domain-services/locals_development.tf b/terraform/environments/hmpps-domain-services/locals_development.tf
index 580e879aeb0..d71a6a61b23 100644
--- a/terraform/environments/hmpps-domain-services/locals_development.tf
+++ b/terraform/environments/hmpps-domain-services/locals_development.tf
@@ -4,7 +4,7 @@ locals {
     options = {
       sns_topics = {
         pagerduty_integrations = {
-          hmpps_domain_services_pagerduty = "hmpps_domain_services_nonprod_alarms"
+          pagerduty = "hmpps-domain-services-development"
         }
       }
     }
diff --git a/terraform/environments/hmpps-domain-services/locals_preproduction.tf b/terraform/environments/hmpps-domain-services/locals_preproduction.tf
index 0c403b869e7..8a38912d500 100644
--- a/terraform/environments/hmpps-domain-services/locals_preproduction.tf
+++ b/terraform/environments/hmpps-domain-services/locals_preproduction.tf
@@ -4,7 +4,7 @@ locals {
     options = {
       sns_topics = {
         pagerduty_integrations = {
-          hmpps_domain_services_pagerduty = "hmpps_domain_services_prod_alarms"
+          pagerduty = "hmpps-domain-services-preproduction"
         }
       }
     }
diff --git a/terraform/environments/hmpps-domain-services/locals_production.tf b/terraform/environments/hmpps-domain-services/locals_production.tf
index 8c6f95a2dd1..d134e8ca7f6 100644
--- a/terraform/environments/hmpps-domain-services/locals_production.tf
+++ b/terraform/environments/hmpps-domain-services/locals_production.tf
@@ -4,7 +4,7 @@ locals {
     options = {
       sns_topics = {
         pagerduty_integrations = {
-          hmpps_domain_services_pagerduty = "hmpps_domain_services_prod_alarms"
+          pagerduty = "hmpps-domain-services-production"
         }
       }
     }
diff --git a/terraform/environments/hmpps-domain-services/locals_test.tf b/terraform/environments/hmpps-domain-services/locals_test.tf
index e26778db9d6..258d2a00f5f 100644
--- a/terraform/environments/hmpps-domain-services/locals_test.tf
+++ b/terraform/environments/hmpps-domain-services/locals_test.tf
@@ -4,7 +4,7 @@ locals {
     options = {
       sns_topics = {
         pagerduty_integrations = {
-          hmpps_domain_services_pagerduty = "hmpps_domain_services_nonprod_alarms"
+          pagerduty = "hmpps-domain-services-test"
         }
       }
     }
diff --git a/terraform/environments/hmpps-oem/locals.tf b/terraform/environments/hmpps-oem/locals.tf
index 01e61d08526..5d62da03c02 100644
--- a/terraform/environments/hmpps-oem/locals.tf
+++ b/terraform/environments/hmpps-oem/locals.tf
@@ -31,7 +31,7 @@ locals {
         "ec2_instance_textfile_monitoring",
         "ec2_windows",
       ]
-      # cloudwatch_metric_alarms_default_actions = ["dso_pagerduty"] # disabled to prevent duplication on cross-account alarms
+      # cloudwatch_metric_alarms_default_actions = ["pagerduty"] # disabled to prevent duplication on cross-account alarms
       enable_backup_plan_daily_and_weekly         = true
       enable_business_unit_kms_cmks               = true
       enable_ec2_cloud_watch_agent                = true
@@ -82,6 +82,7 @@ locals {
         periodOverride = "auto"
         start          = "-PT6H"
         widget_groups = [
+          module.baseline_presets.cloudwatch_dashboard_widget_groups.custom,
           module.baseline_presets.cloudwatch_dashboard_widget_groups.ec2,
           module.baseline_presets.cloudwatch_dashboard_widget_groups.ec2_linux,
           module.baseline_presets.cloudwatch_dashboard_widget_groups.ec2_instance_linux,
diff --git a/terraform/environments/hmpps-oem/locals_development.tf b/terraform/environments/hmpps-oem/locals_development.tf
index 4f924e0999e..bb478f10ac5 100644
--- a/terraform/environments/hmpps-oem/locals_development.tf
+++ b/terraform/environments/hmpps-oem/locals_development.tf
@@ -6,8 +6,7 @@ locals {
 
       sns_topics = {
         pagerduty_integrations = {
-          dba_pagerduty = "hmpps_shef_dba_non_prod"
-          dso_pagerduty = "nomis_nonprod_alarms"
+          pagerduty = "hmpps-oem-development"
         }
       }
     }
diff --git a/terraform/environments/hmpps-oem/locals_ec2_instances.tf b/terraform/environments/hmpps-oem/locals_ec2_instances.tf
index 8cf8bfd14e7..61b9740ed13 100644
--- a/terraform/environments/hmpps-oem/locals_ec2_instances.tf
+++ b/terraform/environments/hmpps-oem/locals_ec2_instances.tf
@@ -5,13 +5,13 @@ locals {
     oem = {
 
       cloudwatch_metric_alarms = merge(
-        module.baseline_presets.cloudwatch_metric_alarms_by_sns_topic["dba_pagerduty"].ec2,
-        module.baseline_presets.cloudwatch_metric_alarms_by_sns_topic["dba_pagerduty"].ec2_cwagent_linux,
-        module.baseline_presets.cloudwatch_metric_alarms_by_sns_topic["dba_pagerduty"].ec2_instance_or_cwagent_stopped_linux,
-        module.baseline_presets.cloudwatch_metric_alarms_by_sns_topic["dba_pagerduty"].ec2_instance_cwagent_collectd_service_status_os,
-        module.baseline_presets.cloudwatch_metric_alarms_by_sns_topic["dba_pagerduty"].ec2_instance_cwagent_collectd_service_status_app,
-        module.baseline_presets.cloudwatch_metric_alarms_by_sns_topic["dba_pagerduty"].ec2_instance_cwagent_collectd_oracle_db_connected,
-        module.baseline_presets.cloudwatch_metric_alarms_by_sns_topic["dba_pagerduty"].ec2_instance_cwagent_collectd_oracle_db_backup,
+        module.baseline_presets.cloudwatch_metric_alarms.ec2,
+        module.baseline_presets.cloudwatch_metric_alarms.ec2_cwagent_linux,
+        module.baseline_presets.cloudwatch_metric_alarms.ec2_instance_or_cwagent_stopped_linux,
+        module.baseline_presets.cloudwatch_metric_alarms.ec2_instance_cwagent_collectd_service_status_os,
+        module.baseline_presets.cloudwatch_metric_alarms.ec2_instance_cwagent_collectd_service_status_app,
+        module.baseline_presets.cloudwatch_metric_alarms.ec2_instance_cwagent_collectd_oracle_db_connected,
+        module.baseline_presets.cloudwatch_metric_alarms.ec2_instance_cwagent_collectd_oracle_db_backup,
       )
 
       config = {
diff --git a/terraform/environments/hmpps-oem/locals_preproduction.tf b/terraform/environments/hmpps-oem/locals_preproduction.tf
index d5454a37215..82d87956635 100644
--- a/terraform/environments/hmpps-oem/locals_preproduction.tf
+++ b/terraform/environments/hmpps-oem/locals_preproduction.tf
@@ -4,8 +4,7 @@ locals {
     options = {
       sns_topics = {
         pagerduty_integrations = {
-          dba_pagerduty = "hmpps_shef_dba_low_priority"
-          dso_pagerduty = "nomis_nonprod_alarms"
+          pagerduty = "hmpps-oem-preproduction"
         }
       }
     }
diff --git a/terraform/environments/hmpps-oem/locals_production.tf b/terraform/environments/hmpps-oem/locals_production.tf
index 105e6b852b8..f6eb0995c01 100644
--- a/terraform/environments/hmpps-oem/locals_production.tf
+++ b/terraform/environments/hmpps-oem/locals_production.tf
@@ -4,8 +4,7 @@ locals {
     options = {
       sns_topics = {
         pagerduty_integrations = {
-          dba_pagerduty = "hmpps_shef_dba_low_priority"
-          dso_pagerduty = "nomis_alarms"
+          pagerduty = "hmpps-oem-production"
         }
       }
     }
diff --git a/terraform/environments/hmpps-oem/locals_test.tf b/terraform/environments/hmpps-oem/locals_test.tf
index ed52b5e4e07..73f21117151 100644
--- a/terraform/environments/hmpps-oem/locals_test.tf
+++ b/terraform/environments/hmpps-oem/locals_test.tf
@@ -6,8 +6,7 @@ locals {
 
       sns_topics = {
         pagerduty_integrations = {
-          dba_pagerduty = "hmpps_shef_dba_non_prod"
-          dso_pagerduty = "nomis_nonprod_alarms"
+          pagerduty = "hmpps-oem-test"
         }
       }
     }
diff --git a/terraform/environments/laa-mail-relay/application_variables.json b/terraform/environments/laa-mail-relay/application_variables.json
index 6b52bfe9b30..14baade35dc 100644
--- a/terraform/environments/laa-mail-relay/application_variables.json
+++ b/terraform/environments/laa-mail-relay/application_variables.json
@@ -1,7 +1,10 @@
 {
   "accounts": {
     "development": {
-      "example_var": "dev-data"
+      "env_short": "dev",
+      "smtp_ami_id": "ami-07c2c2bf769d5174d",
+      "smtp_instance_type": "t2.large",
+      "old_mail_server_url": "mail.aws.dev.legalservices.gov.uk"
     },
     "test": {
       "example_var": "test-data"
diff --git a/terraform/environments/laa-mail-relay/ec2_iam_profile.tf b/terraform/environments/laa-mail-relay/ec2_iam_profile.tf
new file mode 100644
index 00000000000..9c5603487cb
--- /dev/null
+++ b/terraform/environments/laa-mail-relay/ec2_iam_profile.tf
@@ -0,0 +1,89 @@
+
+################################
+# SMTP EC2 Instance Profile 
+################################
+
+resource "aws_iam_instance_profile" "smtp" {
+  name = "${local.application_name}-instance-profile"
+  role = aws_iam_role.smtp.name
+  tags = merge(
+    local.tags,
+    {
+      Name = "${local.application_name}-instance-profile"
+    }
+  )
+}
+
+resource "aws_iam_role" "smtp" {
+  name = "${local.application_name}-instance-role"
+  tags = merge(
+    local.tags,
+    {
+      Name = "${local.application_name}-instance-role"
+    }
+  )
+  path               = "/"
+  assume_role_policy = <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Action": "sts:AssumeRole",
+            "Principal": {
+               "Service": "ec2.amazonaws.com"
+            },
+            "Effect": "Allow",
+            "Sid": ""
+        }
+    ]
+}
+EOF
+}
+
+resource "aws_iam_policy" "smtp" {
+  name = "${local.application_name}-iam-policy"
+  tags = merge(
+    local.tags,
+    {
+      Name = "${local.application_name}-iam-policy"
+    }
+  )
+  policy = <<EOF
+{
+    "Version" : "2012-10-17",
+    "Statement": [
+        {
+            "Action": [
+                "logs:CreateLogGroup",
+                "logs:CreateLogStream",
+                "logs:DescribeLogStreams",
+                "logs:PutRetentionPolicy",
+                "logs:PutLogEvents",
+                "ec2:DescribeInstances"
+            ],
+            "Resource": "*",
+            "Effect": "Allow"
+        },
+        {
+            "Action": [
+                "secretsmanager:GetSecretValue"
+            ],
+            "Resource": [
+                "arn:aws:secretsmanager:eu-west-2:${data.aws_caller_identity.current.account_id}:secret:postfix/app/*"
+            ],
+            "Effect": "Allow"
+        }
+    ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy_attachment" "smtp" {
+  role       = aws_iam_role.smtp.name
+  policy_arn = aws_iam_policy.smtp.arn
+}
+
+resource "aws_iam_role_policy_attachment" "smtp_ssm" {
+  role       = aws_iam_role.smtp.name
+  policy_arn = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
+}
\ No newline at end of file
diff --git a/terraform/environments/contract-work-administration/ses.tf b/terraform/environments/laa-mail-relay/ses.tf
similarity index 82%
rename from terraform/environments/contract-work-administration/ses.tf
rename to terraform/environments/laa-mail-relay/ses.tf
index 199353e4a2a..a18aafc99f6 100644
--- a/terraform/environments/contract-work-administration/ses.tf
+++ b/terraform/environments/laa-mail-relay/ses.tf
@@ -1,14 +1,14 @@
-resource "aws_sesv2_email_identity" "cwa" {
+resource "aws_sesv2_email_identity" "postfix" {
   email_identity         = local.environment == "production" ? "tbc" : data.aws_route53_zone.external.name
-  configuration_set_name = local.environment == "production" ? aws_sesv2_configuration_set.cwa[0].configuration_set_name : null
+  configuration_set_name = local.environment == "production" ? aws_sesv2_configuration_set.postfix[0].configuration_set_name : null
   dkim_signing_attributes {
     next_signing_key_length = "RSA_1024_BIT"
   }
   tags = local.tags
 }
 
-resource "aws_sesv2_email_identity_policy" "cwa" {
-  email_identity = aws_sesv2_email_identity.cwa.email_identity
+resource "aws_sesv2_email_identity_policy" "postfix" {
+  email_identity = aws_sesv2_email_identity.postfix.email_identity
   policy_name    = "ssvc-ses-permission-${local.environment}"
 
   policy = <<EOF
@@ -35,10 +35,10 @@ resource "aws_route53_record" "ses_dkim" {
   provider = aws.core-vpc
   count    = 3
   zone_id  = data.aws_route53_zone.external.zone_id
-  name     = "${aws_sesv2_email_identity.cwa.dkim_signing_attributes[0].tokens[count.index]}._domainkey.${data.aws_route53_zone.external.name}"
+  name     = "${aws_sesv2_email_identity.postfix.dkim_signing_attributes[0].tokens[count.index]}._domainkey.${data.aws_route53_zone.external.name}"
   type     = "CNAME"
   ttl      = "600"
-  records  = ["${aws_sesv2_email_identity.cwa.dkim_signing_attributes[0].tokens[count.index]}.dkim.amazonses.com"]
+  records  = ["${aws_sesv2_email_identity.postfix.dkim_signing_attributes[0].tokens[count.index]}.dkim.amazonses.com"]
 }
 
 
@@ -55,7 +55,7 @@ resource "aws_route53_record" "ses_dmarc" {
 ### SMTP IAM User
 
 resource "aws_iam_user" "smtp" {
-  name = "smtp-${local.application_data.accounts[local.environment].env_short}"
+  name = "${local.application_name}-${local.application_data.accounts[local.environment].env_short}-user"
   tags = local.tags
 }
 
@@ -141,9 +141,9 @@ resource "aws_secretsmanager_secret" "smtp_sesrsa" {
 
 ## TODO Create Kinesis Data Firehose and IAM role for Production, then enable below to set event destination
 
-resource "aws_sesv2_configuration_set" "cwa" {
+resource "aws_sesv2_configuration_set" "postfix" {
   count                  = contains(["production"], local.environment) ? 1 : 0
-  configuration_set_name = "${local.environment}-configuration-set"
+  configuration_set_name = "${local.application_name}-configuration-set"
 
   delivery_options {
     tls_policy = "OPTIONAL"
@@ -156,8 +156,8 @@ resource "aws_sesv2_configuration_set" "cwa" {
   tags = local.tags
 }
 
-# resource "aws_sesv2_configuration_set_event_destination" "cwa" {
-#   configuration_set_name = aws_sesv2_configuration_set.cwa.configuration_set_name
+# resource "aws_sesv2_configuration_set_event_destination" "postfix" {
+#   configuration_set_name = aws_sesv2_configuration_set.postfix.configuration_set_name
 #   event_destination_name = "ses-reputation-events-firehose"
 
 #   event_destination {
diff --git a/terraform/environments/contract-work-administration/smtp.tf b/terraform/environments/laa-mail-relay/smtp.tf
similarity index 77%
rename from terraform/environments/contract-work-administration/smtp.tf
rename to terraform/environments/laa-mail-relay/smtp.tf
index 7bd763fb489..99fcdb41f1d 100644
--- a/terraform/environments/contract-work-administration/smtp.tf
+++ b/terraform/environments/laa-mail-relay/smtp.tf
@@ -18,12 +18,8 @@ curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.34.0/install.sh | bash
 . /.nvm/nvm.sh
 nvm install node
 
-# export ip4=$(/sbin/ip -o -4 addr list eth0 | awk '{print $4}' | cut -d/ -f1)
-# export LOGS="Postfix-EC2"
-# export APPNAME="${local.application_name_short}"
 export ENV="${local.application_data.accounts[local.environment].env_short}"
-# export ROLE="${local.application_name_short}"
-# export host="$ip4 $APPNAME-$ENV ${local.application_name_short}"
+
 
 echo "Updating hosts"
 PRIVATE_IP=$(curl http://169.254.169.254/latest/meta-data/local-ipv4)
@@ -48,14 +44,13 @@ EOF
 ######################################
 
 resource "aws_instance" "smtp" {
-  ami                    = local.application_data.accounts[local.environment].smtp_ami_id
-  availability_zone      = "eu-west-2a"
-  instance_type          = local.application_data.accounts[local.environment].smtp_instance_type
-  monitoring             = true
-  vpc_security_group_ids = [aws_security_group.smtp.id]
-  subnet_id              = data.aws_subnet.data_subnets_a.id
-  iam_instance_profile   = aws_iam_instance_profile.smtp.id
-  #   key_name                    = aws_key_pair.cwa.key_name
+  ami                         = local.application_data.accounts[local.environment].smtp_ami_id
+  availability_zone           = "eu-west-2a"
+  instance_type               = local.application_data.accounts[local.environment].smtp_instance_type
+  monitoring                  = true
+  vpc_security_group_ids      = [aws_security_group.smtp.id]
+  subnet_id                   = data.aws_subnet.data_subnets_a.id
+  iam_instance_profile        = aws_iam_instance_profile.smtp.id
   user_data_base64            = base64encode(local.smtp_userdata)
   user_data_replace_on_change = true
   metadata_options {
@@ -65,7 +60,7 @@ resource "aws_instance" "smtp" {
   tags = merge(
     { "instance-scheduling" = "skip-scheduling" },
     local.tags,
-    { "Name" = "${upper(local.application_name_short)} SMTP Server" }
+    { "Name" = "${local.application_name}-${local.environment}" }
   )
 }
 
@@ -74,13 +69,13 @@ resource "aws_instance" "smtp" {
 #################################
 
 resource "aws_security_group" "smtp" {
-  name        = "${local.application_name}-${local.environment}-smtp-security-group"
+  name        = "${local.application_name}-${local.environment}-security-group"
   description = "Security Group for SMTP server"
   vpc_id      = data.aws_vpc.shared.id
 
   tags = merge(
     local.tags,
-    { "Name" = "${local.application_name}-${local.environment}-smtp-security-group" }
+    { "Name" = "${local.application_name}-${local.environment}-security-group" }
   )
 
 }
@@ -100,3 +95,12 @@ resource "aws_vpc_security_group_ingress_rule" "smtp_vpc" {
   to_port           = 25
 }
 
+# Domain A record for SMTP server
+resource "aws_route53_record" "smtp" {
+  provider = aws.core-vpc
+  zone_id  = data.aws_route53_zone.external.zone_id
+  name     = "laa-mail.${data.aws_route53_zone.external.name}"
+  type     = "A"
+  ttl      = "60"
+  records  = [aws_instance.smtp.private_ip]
+}
\ No newline at end of file
diff --git a/terraform/environments/mojfin/member_locals.tf b/terraform/environments/mojfin/member_locals.tf
index 0dda47c8931..8761a64273c 100644
--- a/terraform/environments/mojfin/member_locals.tf
+++ b/terraform/environments/mojfin/member_locals.tf
@@ -22,6 +22,7 @@ locals {
   storage_type               = "gp2"
   rds_snapshot_name          = "laws3169-mojfin-migration-v1"
   deletion_production        = local.application_data.accounts[local.environment].deletion_protection
+  ca_cert_identifier         = "rds-ca-rsa4096-g1"
 
 
   # CloudWatch Alarms
diff --git a/terraform/environments/mojfin/mojfin-rds.tf b/terraform/environments/mojfin/mojfin-rds.tf
index 89229ba89e8..a617cd52eab 100644
--- a/terraform/environments/mojfin/mojfin-rds.tf
+++ b/terraform/environments/mojfin/mojfin-rds.tf
@@ -68,11 +68,12 @@ resource "aws_db_instance" "appdb1" {
   deletion_protection             = local.deletion_production
   copy_tags_to_snapshot           = true
   storage_encrypted               = true
-  apply_immediately               = false
+  apply_immediately               = true
   # snapshot_identifier             = format("arn:aws:rds:eu-west-2:%s:snapshot:%s", data.aws_caller_identity.current.account_id,local.application_data.accounts[local.environment].mojfinrdssnapshotid)
   kms_key_id        = data.aws_kms_key.rds_shared.arn
   multi_az          = true
   option_group_name = aws_db_option_group.mojfin.name
+  ca_cert_identifier = local.ca_cert_identifier
 
   # restore_to_point_in_time {
   #   restore_time = "2023-07-04T14:54:00Z"
diff --git a/terraform/environments/nomis-combined-reporting/locals.tf b/terraform/environments/nomis-combined-reporting/locals.tf
index 77afe005f45..68b4c09eeca 100644
--- a/terraform/environments/nomis-combined-reporting/locals.tf
+++ b/terraform/environments/nomis-combined-reporting/locals.tf
@@ -28,6 +28,7 @@ locals {
         "ec2_instance_oracle_db_with_backup",
         "ec2_windows",
       ]
+      cloudwatch_metric_alarms_default_actions    = ["pagerduty"]
       cloudwatch_metric_oam_links_ssm_parameters  = ["hmpps-oem-${local.environment}"]
       cloudwatch_metric_oam_links                 = ["hmpps-oem-${local.environment}"]
       db_backup_bucket_name                       = "ncr-db-backup-bucket"
diff --git a/terraform/environments/nomis-combined-reporting/locals_cloudwatch_metric_alarms.tf b/terraform/environments/nomis-combined-reporting/locals_cloudwatch_metric_alarms.tf
index 26ffc367d5f..3cf656680ba 100644
--- a/terraform/environments/nomis-combined-reporting/locals_cloudwatch_metric_alarms.tf
+++ b/terraform/environments/nomis-combined-reporting/locals_cloudwatch_metric_alarms.tf
@@ -2,37 +2,37 @@ locals {
 
   cloudwatch_metric_alarms = {
     bip_app = merge(
-      module.baseline_presets.cloudwatch_metric_alarms_by_sns_topic["dso_pagerduty"].ec2,
-      module.baseline_presets.cloudwatch_metric_alarms_by_sns_topic["dso_pagerduty"].ec2_cwagent_linux,
-      module.baseline_presets.cloudwatch_metric_alarms_by_sns_topic["dso_pagerduty"].ec2_instance_or_cwagent_stopped_linux,
-      module.baseline_presets.cloudwatch_metric_alarms_by_sns_topic["dso_pagerduty"].ec2_instance_cwagent_collectd_service_status_os,
-      # module.baseline_presets.cloudwatch_metric_alarms_by_sns_topic["dso_pagerduty"].ec2_instance_cwagent_collectd_service_status_app, # add in once there are custom services monitored
+      module.baseline_presets.cloudwatch_metric_alarms.ec2,
+      module.baseline_presets.cloudwatch_metric_alarms.ec2_cwagent_linux,
+      module.baseline_presets.cloudwatch_metric_alarms.ec2_instance_or_cwagent_stopped_linux,
+      module.baseline_presets.cloudwatch_metric_alarms.ec2_instance_cwagent_collectd_service_status_os,
+      # module.baseline_presets.cloudwatch_metric_alarms.ec2_instance_cwagent_collectd_service_status_app, # add in once there are custom services monitored
     )
     bip_web = merge(
-      module.baseline_presets.cloudwatch_metric_alarms_by_sns_topic["dso_pagerduty"].ec2,
-      module.baseline_presets.cloudwatch_metric_alarms_by_sns_topic["dso_pagerduty"].ec2_cwagent_linux,
-      module.baseline_presets.cloudwatch_metric_alarms_by_sns_topic["dso_pagerduty"].ec2_instance_or_cwagent_stopped_linux,
-      module.baseline_presets.cloudwatch_metric_alarms_by_sns_topic["dso_pagerduty"].ec2_instance_cwagent_collectd_service_status_os,
-      # module.baseline_presets.cloudwatch_metric_alarms_by_sns_topic["dso_pagerduty"].ec2_instance_cwagent_collectd_service_status_app, # add in once there are custom services monitored
+      module.baseline_presets.cloudwatch_metric_alarms.ec2,
+      module.baseline_presets.cloudwatch_metric_alarms.ec2_cwagent_linux,
+      module.baseline_presets.cloudwatch_metric_alarms.ec2_instance_or_cwagent_stopped_linux,
+      module.baseline_presets.cloudwatch_metric_alarms.ec2_instance_cwagent_collectd_service_status_os,
+      # module.baseline_presets.cloudwatch_metric_alarms.ec2_instance_cwagent_collectd_service_status_app, # add in once there are custom services monitored
     )
     bods = merge(
-      module.baseline_presets.cloudwatch_metric_alarms_by_sns_topic["dso_pagerduty"].ec2,
-      module.baseline_presets.cloudwatch_metric_alarms_by_sns_topic["dso_pagerduty"].ec2_cwagent_windows,
-      module.baseline_presets.cloudwatch_metric_alarms_by_sns_topic["dso_pagerduty"].ec2_instance_or_cwagent_stopped_linux,
+      module.baseline_presets.cloudwatch_metric_alarms.ec2,
+      module.baseline_presets.cloudwatch_metric_alarms.ec2_cwagent_windows,
+      module.baseline_presets.cloudwatch_metric_alarms.ec2_instance_or_cwagent_stopped_linux,
     )
     db = merge(
-      module.baseline_presets.cloudwatch_metric_alarms_by_sns_topic["dba_pagerduty"].ec2,
-      module.baseline_presets.cloudwatch_metric_alarms_by_sns_topic["dba_pagerduty"].ec2_cwagent_linux,
-      module.baseline_presets.cloudwatch_metric_alarms_by_sns_topic["dba_pagerduty"].ec2_instance_or_cwagent_stopped_linux,
-      module.baseline_presets.cloudwatch_metric_alarms_by_sns_topic["dso_pagerduty"].ec2_instance_cwagent_collectd_service_status_os,
-      module.baseline_presets.cloudwatch_metric_alarms_by_sns_topic["dba_pagerduty"].ec2_instance_cwagent_collectd_service_status_app,
+      module.baseline_presets.cloudwatch_metric_alarms.ec2,
+      module.baseline_presets.cloudwatch_metric_alarms.ec2_cwagent_linux,
+      module.baseline_presets.cloudwatch_metric_alarms.ec2_instance_or_cwagent_stopped_linux,
+      module.baseline_presets.cloudwatch_metric_alarms.ec2_instance_cwagent_collectd_service_status_os,
+      module.baseline_presets.cloudwatch_metric_alarms.ec2_instance_cwagent_collectd_service_status_app,
     )
     db_connected = merge(
       # DBAs have slack integration via OEM for this so don't include pagerduty integration
       module.baseline_presets.cloudwatch_metric_alarms.ec2_instance_cwagent_collectd_oracle_db_connected,
     )
     db_backup = merge(
-      module.baseline_presets.cloudwatch_metric_alarms_by_sns_topic["dba_pagerduty"].ec2_instance_cwagent_collectd_oracle_db_backup,
+      module.baseline_presets.cloudwatch_metric_alarms.ec2_instance_cwagent_collectd_oracle_db_backup,
     )
   }
 }
diff --git a/terraform/environments/nomis-combined-reporting/locals_development.tf b/terraform/environments/nomis-combined-reporting/locals_development.tf
index 9a1c2141bd6..c03513e06f7 100644
--- a/terraform/environments/nomis-combined-reporting/locals_development.tf
+++ b/terraform/environments/nomis-combined-reporting/locals_development.tf
@@ -5,14 +5,6 @@ locals {
       # disabling some features in development as the environment may get nuked
       cloudwatch_metric_oam_links_ssm_parameters = []
       cloudwatch_metric_oam_links                = []
-
-      sns_topics = {
-        pagerduty_integrations = {
-          dso_pagerduty               = "nomis_nonprod_alarms"
-          dba_pagerduty               = "hmpps_shef_dba_non_prod"
-          dba_high_priority_pagerduty = "hmpps_shef_dba_non_prod"
-        }
-      }
     }
   }
 
diff --git a/terraform/environments/nomis-combined-reporting/locals_preproduction.tf b/terraform/environments/nomis-combined-reporting/locals_preproduction.tf
index fbca762b112..f4d11d0057a 100644
--- a/terraform/environments/nomis-combined-reporting/locals_preproduction.tf
+++ b/terraform/environments/nomis-combined-reporting/locals_preproduction.tf
@@ -4,9 +4,7 @@ locals {
     options = {
       sns_topics = {
         pagerduty_integrations = {
-          dso_pagerduty               = "nomis_alarms"
-          dba_pagerduty               = "hmpps_shef_dba_low_priority"
-          dba_high_priority_pagerduty = "hmpps_shef_dba_low_priority"
+          pagerduty = "nomis-combined-reporting-preproduction"
         }
       }
     }
diff --git a/terraform/environments/nomis-combined-reporting/locals_production.tf b/terraform/environments/nomis-combined-reporting/locals_production.tf
index 2fab2c3b6b9..04aa9f3ac12 100644
--- a/terraform/environments/nomis-combined-reporting/locals_production.tf
+++ b/terraform/environments/nomis-combined-reporting/locals_production.tf
@@ -4,9 +4,7 @@ locals {
     options = {
       sns_topics = {
         pagerduty_integrations = {
-          dso_pagerduty               = "nomis_alarms"
-          dba_pagerduty               = "hmpps_shef_dba_low_priority"
-          dba_high_priority_pagerduty = "hmpps_shef_dba_high_priority"
+          pagerduty = "nomis-combined-reporting-production"
         }
       }
     }
diff --git a/terraform/environments/nomis-combined-reporting/locals_test.tf b/terraform/environments/nomis-combined-reporting/locals_test.tf
index 809f9fc2fd4..dddadf70bf9 100644
--- a/terraform/environments/nomis-combined-reporting/locals_test.tf
+++ b/terraform/environments/nomis-combined-reporting/locals_test.tf
@@ -4,9 +4,7 @@ locals {
     options = {
       sns_topics = {
         pagerduty_integrations = {
-          dso_pagerduty               = "nomis_nonprod_alarms"
-          dba_pagerduty               = "hmpps_shef_dba_non_prod"
-          dba_high_priority_pagerduty = "hmpps_shef_dba_non_prod"
+          pagerduty = "nomis-combined-reporting-test"
         }
       }
     }
diff --git a/terraform/environments/nomis-data-hub/locals.tf b/terraform/environments/nomis-data-hub/locals.tf
index 18f34ab5780..c7528766f39 100644
--- a/terraform/environments/nomis-data-hub/locals.tf
+++ b/terraform/environments/nomis-data-hub/locals.tf
@@ -27,7 +27,7 @@ locals {
         "ec2_instance_textfile_monitoring",
         "ec2_windows",
       ]
-      cloudwatch_metric_alarms_default_actions   = ["dso_pagerduty"]
+      cloudwatch_metric_alarms_default_actions   = ["pagerduty"]
       cloudwatch_metric_oam_links_ssm_parameters = ["hmpps-oem-${local.environment}"]
       cloudwatch_metric_oam_links                = ["hmpps-oem-${local.environment}"]
       enable_azure_sas_token                     = true
diff --git a/terraform/environments/nomis-data-hub/locals_development.tf b/terraform/environments/nomis-data-hub/locals_development.tf
index db0a0f7adb1..5c5f21b9612 100644
--- a/terraform/environments/nomis-data-hub/locals_development.tf
+++ b/terraform/environments/nomis-data-hub/locals_development.tf
@@ -5,11 +5,6 @@ locals {
       # disabling some features in development as the environment gets nuked
       cloudwatch_metric_oam_links_ssm_parameters = []
       cloudwatch_metric_oam_links                = []
-      sns_topics = {
-        pagerduty_integrations = {
-          dso_pagerduty = "nomis_data_hub_nonprod_alarms"
-        }
-      }
     }
   }
 
diff --git a/terraform/environments/nomis-data-hub/locals_preproduction.tf b/terraform/environments/nomis-data-hub/locals_preproduction.tf
index e8d26a7c660..dcba87d49cb 100644
--- a/terraform/environments/nomis-data-hub/locals_preproduction.tf
+++ b/terraform/environments/nomis-data-hub/locals_preproduction.tf
@@ -4,7 +4,7 @@ locals {
     options = {
       sns_topics = {
         pagerduty_integrations = {
-          dso_pagerduty = "nomis_data_hub_prod_alarms"
+          pagerduty = "nomis-data-hub-preproduction"
         }
       }
     }
diff --git a/terraform/environments/nomis-data-hub/locals_production.tf b/terraform/environments/nomis-data-hub/locals_production.tf
index 4e2438c9117..198a6de345c 100644
--- a/terraform/environments/nomis-data-hub/locals_production.tf
+++ b/terraform/environments/nomis-data-hub/locals_production.tf
@@ -11,7 +11,7 @@ locals {
       ]
       sns_topics = {
         pagerduty_integrations = {
-          dso_pagerduty = "nomis_data_hub_prod_alarms"
+          pagerduty = "nomis-data-hub-production"
         }
       }
     }
diff --git a/terraform/environments/nomis-data-hub/locals_test.tf b/terraform/environments/nomis-data-hub/locals_test.tf
index 25b61830e0f..fd713a851ba 100644
--- a/terraform/environments/nomis-data-hub/locals_test.tf
+++ b/terraform/environments/nomis-data-hub/locals_test.tf
@@ -4,7 +4,7 @@ locals {
     options = {
       sns_topics = {
         pagerduty_integrations = {
-          dso_pagerduty = "nomis_data_hub_nonprod_alarms"
+          pagerduty = "nomis-data-hub-test"
         }
       }
     }
diff --git a/terraform/environments/nomis/locals.tf b/terraform/environments/nomis/locals.tf
index 21e83c17d62..9beaed66418 100644
--- a/terraform/environments/nomis/locals.tf
+++ b/terraform/environments/nomis/locals.tf
@@ -30,7 +30,7 @@ locals {
         "ec2_instance_textfile_monitoring",
         "ec2_windows",
       ]
-      cloudwatch_metric_alarms_default_actions    = ["dso_pagerduty"]
+      cloudwatch_metric_alarms_default_actions    = ["pagerduty"]
       cloudwatch_metric_oam_links_ssm_parameters  = ["hmpps-oem-${local.environment}"]
       cloudwatch_metric_oam_links                 = ["hmpps-oem-${local.environment}"]
       db_backup_bucket_name                       = "nomis-db-backup-bucket"
diff --git a/terraform/environments/nomis/locals_cloudwatch_metric_alarms.tf b/terraform/environments/nomis/locals_cloudwatch_metric_alarms.tf
index 139d09e9ad4..a6b0ccb9e5d 100644
--- a/terraform/environments/nomis/locals_cloudwatch_metric_alarms.tf
+++ b/terraform/environments/nomis/locals_cloudwatch_metric_alarms.tf
@@ -2,19 +2,19 @@ locals {
 
   cloudwatch_metric_alarms = {
     db = merge(
-      module.baseline_presets.cloudwatch_metric_alarms_by_sns_topic["dba_pagerduty"].ec2,
-      module.baseline_presets.cloudwatch_metric_alarms_by_sns_topic["dba_pagerduty"].ec2_cwagent_linux,
-      module.baseline_presets.cloudwatch_metric_alarms_by_sns_topic["dba_pagerduty"].ec2_instance_or_cwagent_stopped_linux,
-      module.baseline_presets.cloudwatch_metric_alarms_by_sns_topic["dso_pagerduty"].ec2_instance_cwagent_collectd_service_status_os,
-      module.baseline_presets.cloudwatch_metric_alarms_by_sns_topic["dba_pagerduty"].ec2_instance_cwagent_collectd_service_status_app,
+      module.baseline_presets.cloudwatch_metric_alarms.ec2,
+      module.baseline_presets.cloudwatch_metric_alarms.ec2_cwagent_linux,
+      module.baseline_presets.cloudwatch_metric_alarms.ec2_instance_or_cwagent_stopped_linux,
+      module.baseline_presets.cloudwatch_metric_alarms.ec2_instance_cwagent_collectd_service_status_os,
+      module.baseline_presets.cloudwatch_metric_alarms.ec2_instance_cwagent_collectd_service_status_app,
       local.environment == "production" ? {} : {
-        cpu-utilization-high = merge(module.baseline_presets.cloudwatch_metric_alarms_by_sns_topic["dba_pagerduty"].ec2["cpu-utilization-high"], {
+        cpu-utilization-high = merge(module.baseline_presets.cloudwatch_metric_alarms.ec2["cpu-utilization-high"], {
           evaluation_periods  = "480"
           datapoints_to_alarm = "480"
           threshold           = "95"
           alarm_description   = "Triggers if the average cpu remains at 95% utilization or above for 8 hours to allow for DB refreshes. See https://dsdmoj.atlassian.net/wiki/spaces/DSTT/pages/4326064583"
         })
-        cpu-iowait-high = merge(module.baseline_presets.cloudwatch_metric_alarms_by_sns_topic["dba_pagerduty"].ec2_cwagent_linux["cpu-iowait-high"], {
+        cpu-iowait-high = merge(module.baseline_presets.cloudwatch_metric_alarms.ec2_cwagent_linux["cpu-iowait-high"], {
           evaluation_periods  = "480"
           datapoints_to_alarm = "480"
           threshold           = "40"
@@ -23,20 +23,20 @@ locals {
       },
     )
     db_connectivity_test = merge(
-      module.baseline_presets.cloudwatch_metric_alarms_by_sns_topic["dso_pagerduty"].ec2_instance_cwagent_collectd_connectivity_test,
+      module.baseline_presets.cloudwatch_metric_alarms.ec2_instance_cwagent_collectd_connectivity_test,
     )
     db_connected = merge(
       # DBAs have slack integration via OEM for this so don't include pagerduty integration
       module.baseline_presets.cloudwatch_metric_alarms.ec2_instance_cwagent_collectd_oracle_db_connected,
     )
     db_backup = merge(
-      module.baseline_presets.cloudwatch_metric_alarms_by_sns_topic["dba_pagerduty"].ec2_instance_cwagent_collectd_oracle_db_backup,
+      module.baseline_presets.cloudwatch_metric_alarms.ec2_instance_cwagent_collectd_oracle_db_backup,
     )
     db_nomis_batch = merge(
-      module.baseline_presets.cloudwatch_metric_alarms_by_sns_topic["dba_pagerduty"].ec2_instance_cwagent_collectd_textfile_monitoring
+      module.baseline_presets.cloudwatch_metric_alarms.ec2_instance_cwagent_collectd_textfile_monitoring
     )
     db_misload = merge(
-      module.baseline_presets.cloudwatch_metric_alarms_by_sns_topic["dba_pagerduty"].ec2_instance_cwagent_collectd_textfile_monitoring, {
+      module.baseline_presets.cloudwatch_metric_alarms.ec2_instance_cwagent_collectd_textfile_monitoring, {
         misload-long-running = {
           comparison_operator = "GreaterThanOrEqualToThreshold"
           evaluation_periods  = "1"
@@ -48,7 +48,7 @@ locals {
           threshold           = "14400"
           treat_missing_data  = "notBreaching"
           alarm_description   = "Triggers if misload process is taking longer than 4 hours, see https://dsdmoj.atlassian.net/wiki/spaces/DSTT/pages/4615798942"
-          alarm_actions       = ["dba_pagerduty"]
+          alarm_actions       = ["pagerduty"]
           dimensions = {
             type          = "duration"
             type_instance = "misload_running"
@@ -58,27 +58,27 @@ locals {
     )
 
     web = merge(
-      module.baseline_presets.cloudwatch_metric_alarms_by_sns_topic["dso_pagerduty"].ec2,
-      module.baseline_presets.cloudwatch_metric_alarms_by_sns_topic["dso_pagerduty"].ec2_cwagent_linux,
-      module.baseline_presets.cloudwatch_metric_alarms_by_sns_topic["dso_pagerduty"].ec2_instance_cwagent_collectd_service_status_os,
-      module.baseline_presets.cloudwatch_metric_alarms_by_sns_topic["dba_pagerduty"].ec2_instance_cwagent_collectd_service_status_app,
+      module.baseline_presets.cloudwatch_metric_alarms.ec2,
+      module.baseline_presets.cloudwatch_metric_alarms.ec2_cwagent_linux,
+      module.baseline_presets.cloudwatch_metric_alarms.ec2_instance_cwagent_collectd_service_status_os,
+      module.baseline_presets.cloudwatch_metric_alarms.ec2_instance_cwagent_collectd_service_status_app,
     )
 
     xtag = merge(
-      module.baseline_presets.cloudwatch_metric_alarms_by_sns_topic["dso_pagerduty"].ec2,
-      module.baseline_presets.cloudwatch_metric_alarms_by_sns_topic["dso_pagerduty"].ec2_cwagent_linux,
-      module.baseline_presets.cloudwatch_metric_alarms_by_sns_topic["dba_pagerduty"].ec2_instance_or_cwagent_stopped_linux,
-      module.baseline_presets.cloudwatch_metric_alarms_by_sns_topic["dso_pagerduty"].ec2_instance_cwagent_collectd_service_status_os,
-      module.baseline_presets.cloudwatch_metric_alarms_by_sns_topic["dba_pagerduty"].ec2_instance_cwagent_collectd_service_status_app,
+      module.baseline_presets.cloudwatch_metric_alarms.ec2,
+      module.baseline_presets.cloudwatch_metric_alarms.ec2_cwagent_linux,
+      module.baseline_presets.cloudwatch_metric_alarms.ec2_instance_or_cwagent_stopped_linux,
+      module.baseline_presets.cloudwatch_metric_alarms.ec2_instance_cwagent_collectd_service_status_os,
+      module.baseline_presets.cloudwatch_metric_alarms.ec2_instance_cwagent_collectd_service_status_app,
     )
 
     # Does not contain ec2_instance_or_cwagent_stopped_linux block as these machines are off overnight
     # This avoids triggering an alarm for the DBS's
     xtag_t1_t2 = merge(
-      module.baseline_presets.cloudwatch_metric_alarms_by_sns_topic["dso_pagerduty"].ec2,
-      module.baseline_presets.cloudwatch_metric_alarms_by_sns_topic["dso_pagerduty"].ec2_cwagent_linux,
-      module.baseline_presets.cloudwatch_metric_alarms_by_sns_topic["dso_pagerduty"].ec2_instance_cwagent_collectd_service_status_os,
-      module.baseline_presets.cloudwatch_metric_alarms_by_sns_topic["dba_pagerduty"].ec2_instance_cwagent_collectd_service_status_app,
+      module.baseline_presets.cloudwatch_metric_alarms.ec2,
+      module.baseline_presets.cloudwatch_metric_alarms.ec2_cwagent_linux,
+      module.baseline_presets.cloudwatch_metric_alarms.ec2_instance_cwagent_collectd_service_status_os,
+      module.baseline_presets.cloudwatch_metric_alarms.ec2_instance_cwagent_collectd_service_status_app,
     )
   }
 }
diff --git a/terraform/environments/nomis/locals_development.tf b/terraform/environments/nomis/locals_development.tf
index 67018008a91..ea0cc4a0597 100644
--- a/terraform/environments/nomis/locals_development.tf
+++ b/terraform/environments/nomis/locals_development.tf
@@ -9,9 +9,7 @@ locals {
     options = {
       sns_topics = {
         pagerduty_integrations = {
-          dso_pagerduty               = "nomis_nonprod_alarms"
-          dba_pagerduty               = "hmpps_shef_dba_non_prod"
-          dba_high_priority_pagerduty = "hmpps_shef_dba_non_prod"
+          pagerduty                   = "nomis-development"
         }
       }
     }
diff --git a/terraform/environments/nomis/locals_ec2_autoscaling_groups.tf b/terraform/environments/nomis/locals_ec2_autoscaling_groups.tf
index 20cf55af09c..ce6719ab920 100644
--- a/terraform/environments/nomis/locals_ec2_autoscaling_groups.tf
+++ b/terraform/environments/nomis/locals_ec2_autoscaling_groups.tf
@@ -85,7 +85,7 @@ locals {
         user_data_raw = base64encode(templatefile(
           # Swap this line with the one below when this is going to be implemented
           # "../../modules/baseline_presets/ec2-user-data/user-data-pwsh-asg-ready-hook.yaml.tftpl", { 
-          "../../modules/baseline_presets/ec2-user-data/user-data-pwsh.yaml.tftpl", {  
+          "../../modules/baseline_presets/ec2-user-data/user-data-pwsh.yaml.tftpl", {
             branch = "main"
           }
         ))
@@ -185,7 +185,7 @@ locals {
       }
       instance = {
         disable_api_termination      = false
-        instance_type                = "t3.medium"
+        instance_type                = "t3.large"
         key_name                     = "ec2-user"
         vpc_security_group_ids       = ["private-web"]
         metadata_options_http_tokens = "required"
diff --git a/terraform/environments/nomis/locals_lbs.tf b/terraform/environments/nomis/locals_lbs.tf
index 33ff9b274a7..95a060714dd 100644
--- a/terraform/environments/nomis/locals_lbs.tf
+++ b/terraform/environments/nomis/locals_lbs.tf
@@ -26,7 +26,7 @@ locals {
         }
 
         https = {
-          cloudwatch_metric_alarms = module.baseline_presets.cloudwatch_metric_alarms_by_sns_topic["dba_pagerduty"].lb
+          cloudwatch_metric_alarms = module.baseline_presets.cloudwatch_metric_alarms.lb
           port                     = 443
           protocol                 = "HTTPS"
           ssl_policy               = "ELBSecurityPolicy-2016-08"
diff --git a/terraform/environments/nomis/locals_preproduction.tf b/terraform/environments/nomis/locals_preproduction.tf
index bee21b990d6..af0f5e11519 100644
--- a/terraform/environments/nomis/locals_preproduction.tf
+++ b/terraform/environments/nomis/locals_preproduction.tf
@@ -13,9 +13,7 @@ locals {
       }
       sns_topics = {
         pagerduty_integrations = {
-          dso_pagerduty               = "nomis_alarms"
-          dba_pagerduty               = "hmpps_shef_dba_low_priority"
-          dba_high_priority_pagerduty = "hmpps_shef_dba_low_priority"
+          pagerduty                   = "nomis-preproduction"
         }
       }
     }
@@ -396,7 +394,7 @@ locals {
           https = merge(local.lbs.private.listeners.https, {
             alarm_target_group_names  = [] # don't enable as environments are powered up/down frequently
             certificate_names_or_arns = ["nomis_wildcard_cert"]
-            cloudwatch_metric_alarms  = module.baseline_presets.cloudwatch_metric_alarms_by_sns_topic["dba_pagerduty"].lb
+            cloudwatch_metric_alarms  = module.baseline_presets.cloudwatch_metric_alarms.lb
 
             # /home/oracle/admin/scripts/lb_maintenance_mode.sh script on
             # weblogic servers can alter priorities to enable maintenance message
diff --git a/terraform/environments/nomis/locals_production.tf b/terraform/environments/nomis/locals_production.tf
index 7b38419a4ca..a5739eee43e 100644
--- a/terraform/environments/nomis/locals_production.tf
+++ b/terraform/environments/nomis/locals_production.tf
@@ -24,9 +24,7 @@ locals {
       }
       sns_topics = {
         pagerduty_integrations = {
-          dso_pagerduty               = "nomis_alarms"
-          dba_pagerduty               = "hmpps_shef_dba_low_priority"
-          dba_high_priority_pagerduty = "hmpps_shef_dba_high_priority"
+          pagerduty                   = "nomis-production"
         }
       }
     }
@@ -456,9 +454,9 @@ locals {
           { name = "pmis", type = "CNAME", ttl = "300", records = ["prod-nomis-db-2-a.nomis.hmpps-production.modernisation-platform.service.justice.gov.uk"] },
           { name = "pmis-a", type = "CNAME", ttl = "300", records = ["prod-nomis-db-2-a.nomis.hmpps-production.modernisation-platform.service.justice.gov.uk"] },
           { name = "pmis-b", type = "CNAME", ttl = "300", records = ["prod-nomis-db-2-b.nomis.hmpps-production.modernisation-platform.service.justice.gov.uk"] },
-          { name = "pnomisapiro", type = "CNAME", ttl = "300", records = ["prod-nomis-db-1-b.nomis.hmpps-production.modernisation-platform.service.justice.gov.uk"] },
-          { name = "pnomisapiro-a", type = "CNAME", ttl = "300", records = ["prod-nomis-db-1-b.nomis.hmpps-production.modernisation-platform.service.justice.gov.uk"] },
-          { name = "pnomisapiro-b", type = "CNAME", ttl = "300", records = ["prod-nomis-db-1-a.nomis.hmpps-production.modernisation-platform.service.justice.gov.uk"] },
+          { name = "pnomisapiro", type = "CNAME", ttl = "300", records = ["prod-nomis-db-1-a.nomis.hmpps-production.modernisation-platform.service.justice.gov.uk"] },
+          { name = "pnomisapiro-a", type = "CNAME", ttl = "300", records = ["prod-nomis-db-1-a.nomis.hmpps-production.modernisation-platform.service.justice.gov.uk"] },
+          { name = "pnomisapiro-b", type = "CNAME", ttl = "300", records = ["prod-nomis-db-1-b.nomis.hmpps-production.modernisation-platform.service.justice.gov.uk"] },
         ]
         lb_alias_records = [
           { name = "maintenance", type = "A", lbs_map_key = "private" },
diff --git a/terraform/environments/nomis/locals_test.tf b/terraform/environments/nomis/locals_test.tf
index eec63f14f62..2609f01328d 100644
--- a/terraform/environments/nomis/locals_test.tf
+++ b/terraform/environments/nomis/locals_test.tf
@@ -10,9 +10,7 @@ locals {
       enable_observability_platform_monitoring = true
       sns_topics = {
         pagerduty_integrations = {
-          dso_pagerduty               = "nomis_nonprod_alarms"
-          dba_pagerduty               = "hmpps_shef_dba_non_prod"
-          dba_high_priority_pagerduty = "hmpps_shef_dba_non_prod"
+          pagerduty                   = "nomis-test"
         }
       }
     }
@@ -38,7 +36,7 @@ locals {
       }
     }
 
-    cloudwatch_metric_alarms = module.baseline_presets.cloudwatch_metric_alarms_by_sns_topic["dso_pagerduty"].ebs
+    cloudwatch_metric_alarms = module.baseline_presets.cloudwatch_metric_alarms_by_sns_topic["pagerduty"].ebs
 
     ec2_autoscaling_groups = {
       # NOT-ACTIVE (blue deployment)
diff --git a/terraform/environments/oasys-national-reporting/locals.tf b/terraform/environments/oasys-national-reporting/locals.tf
index 3f284acb780..68c246427e9 100644
--- a/terraform/environments/oasys-national-reporting/locals.tf
+++ b/terraform/environments/oasys-national-reporting/locals.tf
@@ -27,7 +27,6 @@ locals {
         "ec2_instance_linux",
         "ec2_windows",
       ]
-      # cloudwatch_metric_alarms_default_actions   = ["dso_pagerduty"]
       cloudwatch_metric_oam_links_ssm_parameters = ["hmpps-oem-${local.environment}"]
       cloudwatch_metric_oam_links                = ["hmpps-oem-${local.environment}"]
       enable_backup_plan_daily_and_weekly        = true
diff --git a/terraform/environments/oasys-national-reporting/locals_cloudwatch_metric_alarms.tf b/terraform/environments/oasys-national-reporting/locals_cloudwatch_metric_alarms.tf
new file mode 100644
index 00000000000..8f89d9171bf
--- /dev/null
+++ b/terraform/environments/oasys-national-reporting/locals_cloudwatch_metric_alarms.tf
@@ -0,0 +1,68 @@
+locals {
+  cloudwatch_metric_alarms = {
+    windows = {
+      cwagent-process-count = {
+        alarm_description   = "The CloudWatch agent runs 2 processes. If the PID count drops below 2, the agent is not functioning as expected."
+        namespace           = "CWAgent"
+        metric_name         = "procstat_lookup pid_count"
+        period              = 60
+        evaluation_periods  = 1
+        statistic           = "Average"
+        comparison_operator = "LessThanThreshold"
+        threshold           = 2 # CloudWatch agent runs 2 processes
+        treat_missing_data  = "breaching"
+        dimensions = {
+          exe        = "amazon-cloudwatch-agent"
+          pid_finder = "native"
+        }
+      }
+      ssm-agent-process-count = {
+        alarm_description   = "The SSM agent runs 2 processes. If the PID count drops below 2, the agent is not functioning as expected."
+        namespace           = "CWAgent"
+        metric_name         = "procstat_lookup pid_count"
+        period              = 60
+        evaluation_periods  = 1
+        statistic           = "Average"
+        comparison_operator = "LessThanThreshold"
+        threshold           = 2 # SSM agent runs 2 processes
+        treat_missing_data  = "breaching"
+        dimensions = {
+          exe        = "ssm-agent"
+          pid_finder = "native"
+        }
+      }
+    }
+    bods = {
+      bods-cms-process-count = {
+        alarm_description   = "This alarm checks that the PID count for the BODS CMS does not drop below 1."
+        namespace           = "CWAgent"
+        metric_name         = "procstat_lookup pid_count"
+        period              = 60
+        evaluation_periods  = 1
+        statistic           = "Average"
+        comparison_operator = "LessThanThreshold"
+        threshold           = 1
+        treat_missing_data  = "breaching"
+        dimensions = {
+          exe        = "CMS"
+          pid_finder = "native"
+        }
+      }
+      bods-svcmgr-process-count = {
+        alarm_description   = "This alarm checks that the PID count for the BODS SvcMGR does not drop below 1."
+        namespace           = "CWAgent"
+        metric_name         = "procstat_lookup pid_count"
+        period              = 60
+        evaluation_periods  = 1
+        statistic           = "Average"
+        comparison_operator = "LessThanThreshold"
+        threshold           = 1
+        treat_missing_data  = "breaching"
+        dimensions = {
+          exe        = "SvcMgr"
+          pid_finder = "native"
+        }
+      }
+    }
+  }
+}
diff --git a/terraform/environments/oasys-national-reporting/locals_development.tf b/terraform/environments/oasys-national-reporting/locals_development.tf
index 62bd0e985e6..fec985dc916 100644
--- a/terraform/environments/oasys-national-reporting/locals_development.tf
+++ b/terraform/environments/oasys-national-reporting/locals_development.tf
@@ -26,6 +26,7 @@ locals {
             branch = "main"
           })
         })
+        cloudwatch_metric_alarms = null
       })
 
       dev-boe-asg = merge(local.ec2_autoscaling_groups.boe_app, {
@@ -42,6 +43,7 @@ locals {
             branch = "main"
           })
         })
+        cloudwatch_metric_alarms = null
       })
 
       dev-bods-asg = merge(local.ec2_autoscaling_groups.bods, {
@@ -53,6 +55,7 @@ locals {
         instance = merge(local.ec2_autoscaling_groups.bods.instance, {
           instance_type = "t3.large"
         })
+        cloudwatch_metric_alarms = null
       })
     }
 
diff --git a/terraform/environments/oasys-national-reporting/locals_ec2_instances.tf b/terraform/environments/oasys-national-reporting/locals_ec2_instances.tf
index 705f64702f6..241d33b9812 100644
--- a/terraform/environments/oasys-national-reporting/locals_ec2_instances.tf
+++ b/terraform/environments/oasys-national-reporting/locals_ec2_instances.tf
@@ -47,6 +47,10 @@ locals {
         server-type      = "OnrBods"
         update-ssm-agent = "patchgroup1"
       }
+      cloudwatch_metric_alarms = merge(
+        local.cloudwatch_metric_alarms.windows,
+        local.cloudwatch_metric_alarms.bods,
+      )
     }
 
     boe_app = {
@@ -194,6 +198,7 @@ locals {
         server-type            = "OnrClient"
         update-ssm-agent       = "patchgroup1"
       }
+      cloudwatch_metric_alarms = local.cloudwatch_metric_alarms.windows
     }
   }
 }
diff --git a/terraform/environments/oasys-national-reporting/locals_preproduction.tf b/terraform/environments/oasys-national-reporting/locals_preproduction.tf
index 39023673f80..9dd13fed9be 100644
--- a/terraform/environments/oasys-national-reporting/locals_preproduction.tf
+++ b/terraform/environments/oasys-national-reporting/locals_preproduction.tf
@@ -2,11 +2,12 @@ locals {
 
   baseline_presets_preproduction = {
     options = {
-      #   pagerduty_integrations = {
-      #     dso_pagerduty               = "oasys_alarms"
-      #     dba_pagerduty               = "hmpps_shef_dba_low_priority"
-      #     dba_high_priority_pagerduty = "hmpps_shef_dba_low_priority"
-      # }
+      cloudwatch_metric_alarms_default_actions   = ["pagerduty"]
+      sns_topics = {
+        pagerduty_integrations = {
+          pagerduty = "oasys-national-reporting-production"
+        }
+      }
     }
   }
 
diff --git a/terraform/environments/oasys-national-reporting/locals_production.tf b/terraform/environments/oasys-national-reporting/locals_production.tf
index 98a61921de8..9461c00034a 100644
--- a/terraform/environments/oasys-national-reporting/locals_production.tf
+++ b/terraform/environments/oasys-national-reporting/locals_production.tf
@@ -2,6 +2,12 @@ locals {
 
   baseline_presets_production = {
     options = {
+      cloudwatch_metric_alarms_default_actions   = ["pagerduty"]
+      sns_topics = {
+        pagerduty_integrations = {
+          pagerduty = "oasys-national-reporting-production"
+        }
+      }
     }
   }
 
diff --git a/terraform/environments/oasys-national-reporting/locals_test.tf b/terraform/environments/oasys-national-reporting/locals_test.tf
index d48608a46f3..391d6769a02 100644
--- a/terraform/environments/oasys-national-reporting/locals_test.tf
+++ b/terraform/environments/oasys-national-reporting/locals_test.tf
@@ -2,6 +2,12 @@ locals {
 
   baseline_presets_test = {
     options = {
+      cloudwatch_metric_alarms_default_actions   = ["pagerduty"]
+      sns_topics = {
+        pagerduty_integrations = {
+          pagerduty = "oasys-national-reporting-test"
+        }
+      }
     }
   }
 
@@ -75,6 +81,7 @@ locals {
         tags = merge(local.ec2_autoscaling_groups.boe_web.tags, {
           oasys-national-reporting-environment = "t2"
         })
+        cloudwatch_metric_alarms = null
       })
 
       # IMPORTANT: this is just for testing at the moment
@@ -96,6 +103,7 @@ locals {
           ami                                  = "base_rhel_6_10"
           oasys-national-reporting-environment = "t2"
         })
+        cloudwatch_metric_alarms = null
       })
 
       # TODO: this is just for testing, remove when not needed
@@ -114,6 +122,7 @@ locals {
         tags = merge(local.ec2_autoscaling_groups.boe_app.tags, {
           oasys-national-reporting-environment = "t2"
         })
+        cloudwatch_metric_alarms = null
       })
 
       test-bods-asg = merge(local.ec2_autoscaling_groups.bods, {
@@ -125,6 +134,7 @@ locals {
         instance = merge(local.ec2_autoscaling_groups.bods.instance, {
           instance_type = "m4.xlarge"
         })
+        cloudwatch_metric_alarms = null
       })
     }
 
diff --git a/terraform/environments/oasys-national-reporting/templates/cloud_watch_windows.json b/terraform/environments/oasys-national-reporting/templates/cloud_watch_windows.json
index 5d906c97faf..b0a9245e8fb 100644
--- a/terraform/environments/oasys-national-reporting/templates/cloud_watch_windows.json
+++ b/terraform/environments/oasys-national-reporting/templates/cloud_watch_windows.json
@@ -131,7 +131,6 @@
       ]
     },
     "append_dimensions": {
-      "ImageId": "${aws:ImageId}",
       "InstanceId": "${aws:InstanceId}",
       "AutoScalingGroupName": "${aws:AutoScalingGroupName}"
     },
diff --git a/terraform/environments/oasys/locals_test.tf b/terraform/environments/oasys/locals_test.tf
index 03abb031c24..f5572c62a81 100644
--- a/terraform/environments/oasys/locals_test.tf
+++ b/terraform/environments/oasys/locals_test.tf
@@ -75,6 +75,30 @@ locals {
           oracle-db-sid      = "T2OASYS" # for each env using azure DB will need to be OASPROD
         })
       })
+
+      t2-oasys-web-b = merge(local.ec2_autoscaling_groups.web, {
+        # For SAN project (OASYS replacement) requested by Howard Smith
+        # Autoscaling disabled as initially server will be configured manually
+        config = merge(local.ec2_autoscaling_groups.web.config, {
+          ami_name                  = "oasys_webserver_release_*"
+          availability_zone         = "eu-west-2b"
+          iam_resource_names_prefix = "ec2-web-t2"
+          instance_profile_policies = concat(local.ec2_autoscaling_groups.web.config.instance_profile_policies, [
+            "Ec2T2WebPolicy",
+          ])
+        })
+        user_data_cloud_init = merge(local.ec2_autoscaling_groups.web.user_data_cloud_init, {
+          args = merge(local.ec2_autoscaling_groups.web.user_data_cloud_init.args, {
+            branch = "main"
+          })
+        })
+        tags = merge(local.ec2_autoscaling_groups.web.tags, {
+          description        = "t2 oasys web"
+          oasys-environment  = "t2"
+          oracle-db-hostname = "db.t2.oasys.hmpps-test.modernisation-platform.internal"
+          oracle-db-sid      = "T2OASYS2"
+        })
+      })
     }
 
     ec2_instances = {
@@ -294,6 +318,7 @@ locals {
             ]
             resources = [
               "arn:aws:secretsmanager:*:*:secret:/oracle/database/T2OASYS/apex-passwords*",
+              "arn:aws:secretsmanager:*:*:secret:/oracle/database/T2OASYS2/apex-passwords*",
             ]
           }
         ]
@@ -309,7 +334,7 @@ locals {
             certificate_names_or_arns = ["t2_oasys_cert"]
 
             rules = {
-              t2-web-http-8080 = {
+              t2-web-a-http-8080 = {
                 priority = 100
                 actions = [{
                   type              = "forward"
@@ -327,6 +352,22 @@ locals {
                   }
                 ]
               }
+              t2-web-b-http-8080 = {
+                priority = 150
+                actions = [{
+                  type              = "forward"
+                  target_group_name = "t2-oasys-web-b-pb-http-8080"
+                }]
+                conditions = [
+                  {
+                    host_header = {
+                      values = [
+                        "t2-b.oasys.service.justice.gov.uk",
+                      ]
+                    }
+                  }
+                ]
+              }
               t1-web-http-8080 = {
                 priority = 300
                 actions = [{
@@ -356,7 +397,7 @@ locals {
             certificate_names_or_arns = ["t2_oasys_cert"]
 
             rules = {
-              t2-web-http-8080 = {
+              t2-web-a-http-8080 = {
                 priority = 100
                 actions = [{
                   type              = "forward"
@@ -374,6 +415,22 @@ locals {
                   }
                 ]
               }
+              t2-web-b-http-8080 = {
+                priority = 150
+                actions = [{
+                  type              = "forward"
+                  target_group_name = "t2-oasys-web-b-pv-http-8080"
+                }]
+                conditions = [
+                  {
+                    host_header = {
+                      values = [
+                        "t2-b-int.oasys.service.justice.gov.uk",
+                      ]
+                    }
+                  }
+                ]
+              }
               t1-web-http-8080 = {
                 priority = 300
                 actions = [{
@@ -430,6 +487,7 @@ locals {
       "/oracle/database/T1ONRBDS" = local.secretsmanager_secrets.db
 
       "/oracle/database/T2OASYS"  = local.secretsmanager_secrets.db_oasys
+      "/oracle/database/T2OASYS2" = local.secretsmanager_secrets.db_oasys
       "/oracle/database/T2OASREP" = local.secretsmanager_secrets.db
       "/oracle/database/T2AZBIPI" = local.secretsmanager_secrets.db_bip
       "/oracle/database/T2BIPINF" = local.secretsmanager_secrets.db_bip
diff --git a/terraform/environments/observability-platform/environment-configurations.tf b/terraform/environments/observability-platform/environment-configurations.tf
index 141d55a2560..ff115c01e1b 100644
--- a/terraform/environments/observability-platform/environment-configurations.tf
+++ b/terraform/environments/observability-platform/environment-configurations.tf
@@ -70,7 +70,8 @@ locals {
           }
         }
       }
-      grafana_api_key_rotator_version = "1.0.5"
+      grafana_version                 = "10.4"
+      grafana_api_key_rotator_version = "1.0.10"
     }
     production = {
       tenant_configuration = {
@@ -141,7 +142,8 @@ locals {
           }
         }
       }
-      grafana_api_key_rotator_version = "1.0.5"
+      grafana_version                 = "10.4"
+      grafana_api_key_rotator_version = "1.0.10"
     }
   }
 }
diff --git a/terraform/environments/observability-platform/iam-policies.tf b/terraform/environments/observability-platform/iam-policies.tf
index c5750d389d5..20c99915579 100644
--- a/terraform/environments/observability-platform/iam-policies.tf
+++ b/terraform/environments/observability-platform/iam-policies.tf
@@ -14,7 +14,7 @@ module "amazon_managed_grafana_remote_cloudwatch_iam_policy" {
   #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
 
   source  = "terraform-aws-modules/iam/aws//modules/iam-policy"
-  version = "5.39.1"
+  version = "5.44.0"
 
   name_prefix = "amazon-managed-grafana-remote-cloudwatch"
 
diff --git a/terraform/environments/observability-platform/lambda-functions.tf b/terraform/environments/observability-platform/lambda-functions.tf
index 1eebbf270a4..29371a5546d 100644
--- a/terraform/environments/observability-platform/lambda-functions.tf
+++ b/terraform/environments/observability-platform/lambda-functions.tf
@@ -6,7 +6,7 @@ module "grafana_api_key_rotator" {
   #checkov:skip=CKV_AWS_258:Function is not invoked by URL
 
   source  = "terraform-aws-modules/lambda/aws"
-  version = "7.7.0"
+  version = "7.7.1"
 
   publish        = true
   create_package = false
diff --git a/terraform/environments/observability-platform/managed-grafana.tf b/terraform/environments/observability-platform/managed-grafana.tf
index f846463aacf..2b96abcebe3 100644
--- a/terraform/environments/observability-platform/managed-grafana.tf
+++ b/terraform/environments/observability-platform/managed-grafana.tf
@@ -9,7 +9,8 @@ module "managed_grafana" {
 
   name = local.application_name
 
-  license_type = "ENTERPRISE"
+  license_type    = "ENTERPRISE"
+  grafana_version = local.environment_configuration.grafana_version
 
   account_access_type       = "CURRENT_ACCOUNT"
   authentication_providers  = ["AWS_SSO"]
@@ -40,6 +41,12 @@ module "managed_grafana" {
   tags = local.tags
 }
 
+resource "aws_grafana_workspace_service_account" "automation" {
+  name         = "automation"
+  grafana_role = "ADMIN"
+  workspace_id = module.managed_grafana.workspace_id
+}
+
 /* Slack Contact Points */
 module "contact_point_slack" {
   for_each = toset(local.all_slack_channels)
diff --git a/terraform/environments/observability-platform/modules/grafana/amazon-prometheus-query-source/providers.tf b/terraform/environments/observability-platform/modules/grafana/amazon-prometheus-query-source/providers.tf
index 0cf5412a063..516d493291f 100644
--- a/terraform/environments/observability-platform/modules/grafana/amazon-prometheus-query-source/providers.tf
+++ b/terraform/environments/observability-platform/modules/grafana/amazon-prometheus-query-source/providers.tf
@@ -2,7 +2,7 @@ terraform {
   required_providers {
     grafana = {
       source  = "grafana/grafana"
-      version = "~> 2.0"
+      version = "~> 3.0"
     }
   }
   required_version = "~> 1.0"
diff --git a/terraform/environments/observability-platform/modules/grafana/cloudwatch-source/providers.tf b/terraform/environments/observability-platform/modules/grafana/cloudwatch-source/providers.tf
index 0cf5412a063..516d493291f 100644
--- a/terraform/environments/observability-platform/modules/grafana/cloudwatch-source/providers.tf
+++ b/terraform/environments/observability-platform/modules/grafana/cloudwatch-source/providers.tf
@@ -2,7 +2,7 @@ terraform {
   required_providers {
     grafana = {
       source  = "grafana/grafana"
-      version = "~> 2.0"
+      version = "~> 3.0"
     }
   }
   required_version = "~> 1.0"
diff --git a/terraform/environments/observability-platform/modules/grafana/contact-point/pagerduty/providers.tf b/terraform/environments/observability-platform/modules/grafana/contact-point/pagerduty/providers.tf
index c36dba38290..44c0cfe83c9 100644
--- a/terraform/environments/observability-platform/modules/grafana/contact-point/pagerduty/providers.tf
+++ b/terraform/environments/observability-platform/modules/grafana/contact-point/pagerduty/providers.tf
@@ -6,7 +6,7 @@ terraform {
     }
     grafana = {
       source  = "grafana/grafana"
-      version = "~> 2.0"
+      version = "~> 3.0"
     }
   }
   required_version = "~> 1.0"
diff --git a/terraform/environments/observability-platform/modules/grafana/contact-point/slack/providers.tf b/terraform/environments/observability-platform/modules/grafana/contact-point/slack/providers.tf
index c36dba38290..44c0cfe83c9 100644
--- a/terraform/environments/observability-platform/modules/grafana/contact-point/slack/providers.tf
+++ b/terraform/environments/observability-platform/modules/grafana/contact-point/slack/providers.tf
@@ -6,7 +6,7 @@ terraform {
     }
     grafana = {
       source  = "grafana/grafana"
-      version = "~> 2.0"
+      version = "~> 3.0"
     }
   }
   required_version = "~> 1.0"
diff --git a/terraform/environments/observability-platform/modules/grafana/team/main.tf b/terraform/environments/observability-platform/modules/grafana/team/main.tf
index ddad25bf12c..0bff958d733 100644
--- a/terraform/environments/observability-platform/modules/grafana/team/main.tf
+++ b/terraform/environments/observability-platform/modules/grafana/team/main.tf
@@ -26,7 +26,7 @@ data "grafana_data_source" "cloudwatch" {
 resource "grafana_data_source_permission" "cloudwatch" {
   for_each = var.aws_accounts
 
-  datasource_id = data.grafana_data_source.cloudwatch[each.key].id
+  datasource_uid = trimprefix(data.grafana_data_source.cloudwatch[each.key].id, "1:")
 
   permissions {
     team_id    = grafana_team.this.id
@@ -47,7 +47,7 @@ resource "grafana_data_source_permission" "xray" {
     for name, account in var.aws_accounts : name => account if account.xray_enabled
   }
 
-  datasource_id = data.grafana_data_source.xray[each.key].id
+  datasource_uid = trimprefix(data.grafana_data_source.xray[each.key].id, "1:")
 
   permissions {
     team_id    = grafana_team.this.id
@@ -68,7 +68,7 @@ resource "grafana_data_source_permission" "amazon_prometheus" {
     for name, account in var.aws_accounts : name => account if account.amazon_prometheus_query_enabled
   }
 
-  datasource_id = data.grafana_data_source.amazon_prometheus[each.key].id
+  datasource_uid = trimprefix(data.grafana_data_source.amazon_prometheus[each.key].id, "1:")
 
   permissions {
     team_id    = grafana_team.this.id
diff --git a/terraform/environments/observability-platform/modules/grafana/team/providers.tf b/terraform/environments/observability-platform/modules/grafana/team/providers.tf
index c36dba38290..44c0cfe83c9 100644
--- a/terraform/environments/observability-platform/modules/grafana/team/providers.tf
+++ b/terraform/environments/observability-platform/modules/grafana/team/providers.tf
@@ -6,7 +6,7 @@ terraform {
     }
     grafana = {
       source  = "grafana/grafana"
-      version = "~> 2.0"
+      version = "~> 3.0"
     }
   }
   required_version = "~> 1.0"
diff --git a/terraform/environments/observability-platform/modules/grafana/xray-source/providers.tf b/terraform/environments/observability-platform/modules/grafana/xray-source/providers.tf
index 0cf5412a063..516d493291f 100644
--- a/terraform/environments/observability-platform/modules/grafana/xray-source/providers.tf
+++ b/terraform/environments/observability-platform/modules/grafana/xray-source/providers.tf
@@ -2,7 +2,7 @@ terraform {
   required_providers {
     grafana = {
       source  = "grafana/grafana"
-      version = "~> 2.0"
+      version = "~> 3.0"
     }
   }
   required_version = "~> 1.0"
diff --git a/terraform/environments/observability-platform/modules/prometheus/iam-role/main.tf b/terraform/environments/observability-platform/modules/prometheus/iam-role/main.tf
index c89f24a8a34..36a57fb3e80 100644
--- a/terraform/environments/observability-platform/modules/prometheus/iam-role/main.tf
+++ b/terraform/environments/observability-platform/modules/prometheus/iam-role/main.tf
@@ -21,7 +21,7 @@ module "iam_policy" {
   #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
 
   source  = "terraform-aws-modules/iam/aws//modules/iam-policy"
-  version = "5.39.1"
+  version = "5.44.0"
 
   name_prefix = "${var.name}-prometheus"
 
@@ -33,7 +33,7 @@ module "iam_role" {
   #checkov:skip=CKV_TF_2:Module registry does not support tags for versions
 
   source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-role"
-  version = "5.39.1"
+  version = "5.44.0"
 
   create_role             = true
   role_name               = "${var.name}-prometheus"
diff --git a/terraform/environments/observability-platform/platform_versions.tf b/terraform/environments/observability-platform/platform_versions.tf
index 7024e807f58..389eeeb7e9f 100644
--- a/terraform/environments/observability-platform/platform_versions.tf
+++ b/terraform/environments/observability-platform/platform_versions.tf
@@ -6,7 +6,7 @@ terraform {
     }
     grafana = {
       source  = "grafana/grafana"
-      version = "2.5.0"
+      version = "~> 3.0"
     }
     http = {
       version = "~> 3.0"
diff --git a/terraform/environments/planetfm/locals.tf b/terraform/environments/planetfm/locals.tf
index ae9c34e0194..b7b6f62bb3a 100644
--- a/terraform/environments/planetfm/locals.tf
+++ b/terraform/environments/planetfm/locals.tf
@@ -40,12 +40,6 @@ locals {
       enable_s3_bucket                           = true
       enable_s3_software_bucket                  = true
       s3_iam_policies                            = ["EC2S3BucketWriteAndDeleteAccessPolicy"]
-
-      sns_topics = {
-        pagerduty_integrations = {
-          planetfm_pagerduty = "planetfm_alarms"
-        }
-      }
     }
   }
 
diff --git a/terraform/environments/planetfm/locals_cloudwatch_metric_alarms.tf b/terraform/environments/planetfm/locals_cloudwatch_metric_alarms.tf
new file mode 100644
index 00000000000..0ac2ca7b22d
--- /dev/null
+++ b/terraform/environments/planetfm/locals_cloudwatch_metric_alarms.tf
@@ -0,0 +1,36 @@
+locals {
+  cloudwatch_metric_alarms = {
+    windows = {
+      cwagent-process-count = {
+        alarm_description   = "The CloudWatch agent runs 2 processes. If the PID count drops below 2, the agent is not functioning as expected."
+        namespace           = "CWAgent"
+        metric_name         = "procstat_lookup pid_count"
+        period              = 60
+        evaluation_periods  = 1
+        statistic           = "Average"
+        comparison_operator = "LessThanThreshold"
+        threshold           = 2 # CloudWatch agent runs 2 processes
+        treat_missing_data  = "breaching"
+        dimensions = {
+          exe        = "amazon-cloudwatch-agent"
+          pid_finder = "native"
+        }
+      }
+      ssm-agent-process-count = {
+        alarm_description   = "The SSM agent runs 2 processes. If the PID count drops below 2, the agent is not functioning as expected."
+        namespace           = "CWAgent"
+        metric_name         = "procstat_lookup pid_count"
+        period              = 60
+        evaluation_periods  = 1
+        statistic           = "Average"
+        comparison_operator = "LessThanThreshold"
+        threshold           = 2 # SSM agent runs 2 processes
+        treat_missing_data  = "breaching"
+        dimensions = {
+          exe        = "ssm-agent"
+          pid_finder = "native"
+        }
+      }
+    }
+  }
+}
diff --git a/terraform/environments/planetfm/locals_ec2_instances.tf b/terraform/environments/planetfm/locals_ec2_instances.tf
index 088ed3d59e4..ca133d60f4d 100644
--- a/terraform/environments/planetfm/locals_ec2_instances.tf
+++ b/terraform/environments/planetfm/locals_ec2_instances.tf
@@ -6,6 +6,7 @@ locals {
       cloudwatch_metric_alarms = merge(
         module.baseline_presets.cloudwatch_metric_alarms.ec2,
         module.baseline_presets.cloudwatch_metric_alarms.ec2_cwagent_windows,
+        local.cloudwatch_metric_alarms.windows,
       )
       config = {
         ami_owner                     = "self"
@@ -88,6 +89,7 @@ locals {
       cloudwatch_metric_alarms = merge(
         module.baseline_presets.cloudwatch_metric_alarms.ec2,
         module.baseline_presets.cloudwatch_metric_alarms.ec2_cwagent_windows,
+        local.cloudwatch_metric_alarms.windows,
       )
       config = {
         availability_zone             = "eu-west-2a"
@@ -121,6 +123,7 @@ locals {
         backup           = "false"
         component        = "web"
         os-type          = "Windows"
+        server-type      = "PlanetFMWeb"
         update-ssm-agent = "patchgroup1"
       }
     }
diff --git a/terraform/environments/planetfm/locals_preproduction.tf b/terraform/environments/planetfm/locals_preproduction.tf
index 147715e492b..d395d8665cd 100644
--- a/terraform/environments/planetfm/locals_preproduction.tf
+++ b/terraform/environments/planetfm/locals_preproduction.tf
@@ -1,7 +1,14 @@
 locals {
 
   baseline_presets_preproduction = {
-    options = {}
+    options = {
+      cloudwatch_metric_alarms_default_actions = ["pagerduty"]
+      sns_topics = {
+        pagerduty_integrations = {
+          pagerduty = "planetfm-preproduction"
+        }
+      }
+    }
   }
 
   # please keep resources in alphabetical order
@@ -87,7 +94,6 @@ locals {
         })
         tags = merge(local.ec2_instances.db.tags, {
           ami                 = "pp-cafm-db-a"
-          app-config-status   = "pending"
           description         = "SQL Server"
           instance-scheduling = "skip-scheduling"
           pre-migration       = "PPFDW0030"
@@ -99,6 +105,9 @@ locals {
         config = merge(local.ec2_instances.web.config, {
           ami_name          = "pp-cafm-w-4-b"
           availability_zone = "eu-west-2b"
+          instance_profile_policies = concat(local.ec2_instances.web.config.instance_profile_policies, [
+            "Ec2PpWebPolicy",
+          ])
         })
         ebs_volumes = {
           "/dev/sda1" = { type = "gp3", size = 128 } # root volume
@@ -119,14 +128,17 @@ locals {
         config = merge(local.ec2_instances.web.config, {
           ami_name          = "pp-cafm-w-5-a"
           availability_zone = "eu-west-2a"
+          instance_profile_policies = concat(local.ec2_instances.web.config.instance_profile_policies, [
+            "Ec2PpWebPolicy",
+          ])
         })
+        ebs_volumes = {
+          "/dev/sda1" = { type = "gp3", size = 128 } # root volume
+        }
         instance = merge(local.ec2_instances.web.instance, {
           disable_api_termination = true
           instance_type           = "t3.large"
         })
-        ebs_volumes = {
-          "/dev/sda1" = { type = "gp3", size = 128 } # root volume
-        }
         tags = merge(local.ec2_instances.web.tags, {
           ami                 = "pp-cafm-w-5-a"
           description         = "Migrated server PPFWW0005 Web Portal Server"
@@ -136,6 +148,32 @@ locals {
       })
     }
 
+    iam_policies = {
+      Ec2PpWebPolicy = {
+        description = "Permissions required for POSH-ACME Route53 Plugin"
+        statements = [
+          {
+            effect = "Allow"
+            actions = [
+              "route53:ListHostedZones",
+            ]
+            resources = ["*"]
+          },
+          {
+            effect = "Allow"
+            actions = [
+              "route53:GetHostedZone",
+              "route53:ListResourceRecordSets",
+              "route53:ChangeResourceRecordSets"
+            ]
+            resources = [
+              "arn:aws:route53:::hostedzone/*",
+            ]
+          },
+        ]
+      }
+    }
+
     lbs = {
       private = merge(local.lbs.private, {
         instance_target_groups = {
@@ -148,6 +186,15 @@ locals {
         }
         listeners = merge(local.lbs.private.listeners, {
           https = merge(local.lbs.private.listeners.https, {
+            default_action = {
+              type = "redirect"
+              redirect = {
+                host        = "cafmwebx.pp.planetfm.service.justice.gov.uk"
+                port        = "443"
+                protocol    = "HTTPS"
+                status_code = "HTTP_302"
+              }
+            }
             rules = {
               web-45-80 = {
                 priority = 4580
@@ -159,7 +206,6 @@ locals {
                   host_header = {
                     values = [
                       "cafmwebx.pp.planetfm.service.justice.gov.uk",
-                      "pp-cafmwebx.az.justice.gov.uk",
                     ]
                   }
                 }]
diff --git a/terraform/environments/planetfm/locals_production.tf b/terraform/environments/planetfm/locals_production.tf
index d53fcaed99d..a8aa73adbde 100644
--- a/terraform/environments/planetfm/locals_production.tf
+++ b/terraform/environments/planetfm/locals_production.tf
@@ -1,7 +1,14 @@
 locals {
 
   baseline_presets_production = {
-    options = {}
+    options = {
+      cloudwatch_metric_alarms_default_actions = ["pagerduty"]
+      sns_topics = {
+        pagerduty_integrations = {
+          pagerduty = "planetfm-production"
+        }
+      }
+    }
   }
 
   # please keep resources in alphabetical order
@@ -153,11 +160,10 @@ locals {
           instance_type           = "r6i.4xlarge"
         })
         tags = merge(local.ec2_instances.db.tags, {
-          app-config-status = "pending"
-          ami               = "pd-cafm-db-a"
-          description       = "SQL Server"
-          pre-migration     = "PDFDW0030"
-          update-ssm-agent  = "patchgroup1"
+          ami              = "pd-cafm-db-a"
+          description      = "SQL Server"
+          pre-migration    = "PDFDW0030"
+          update-ssm-agent = "patchgroup1"
         })
       })
 
@@ -186,11 +192,10 @@ locals {
           instance_type           = "r6i.4xlarge"
         })
         tags = merge(local.ec2_instances.db.tags, {
-          app-config-status = "pending"
-          ami               = "pd-cafm-db-b"
-          description       = "SQL resilient Server"
-          pre-migration     = "PDFDW0031"
-          update-ssm-agent  = "patchgroup2"
+          ami              = "pd-cafm-db-b"
+          description      = "SQL resilient Server"
+          pre-migration    = "PDFDW0031"
+          update-ssm-agent = "patchgroup2"
         })
       })
 
@@ -203,6 +208,9 @@ locals {
         config = merge(local.ec2_instances.web.config, {
           ami_name          = "pd-cafm-w-36-b"
           availability_zone = "eu-west-2b"
+          instance_profile_policies = concat(local.ec2_instances.web.config.instance_profile_policies, [
+            "Ec2PdWebPolicy",
+          ])
         })
         ebs_volumes = {
           "/dev/sda1" = { type = "gp3", size = 128 } # root volume
@@ -228,6 +236,9 @@ locals {
         config = merge(local.ec2_instances.web.config, {
           ami_name          = "pd-cafm-w-37-a"
           availability_zone = "eu-west-2a"
+          instance_profile_policies = concat(local.ec2_instances.web.config.instance_profile_policies, [
+            "Ec2PdWebPolicy",
+          ])
         })
         ebs_volumes = {
           "/dev/sda1" = { type = "gp3", size = 128 } # root volume
@@ -238,9 +249,9 @@ locals {
           instance_type           = "t3.xlarge"
         })
         tags = {
-          pre-migration    = "PFWW00037"
-          description      = "CAFM Assessment Management"
           ami              = "pd-cafm-w-37-a"
+          description      = "CAFM Assessment Management"
+          pre-migration    = "PFWW00037"
           update-ssm-agent = "patchgroup1"
         }
       })
@@ -253,6 +264,9 @@ locals {
         config = merge(local.ec2_instances.web.config, {
           ami_name          = "pd-cafm-w-38-b"
           availability_zone = "eu-west-2b"
+          instance_profile_policies = concat(local.ec2_instances.web.config.instance_profile_policies, [
+            "Ec2PdWebPolicy",
+          ])
         })
         ebs_volumes = {
           "/dev/sda1" = { type = "gp3", size = 128 } # root volume
@@ -271,6 +285,32 @@ locals {
       })
     }
 
+    iam_policies = {
+      Ec2PdWebPolicy = {
+        description = "Permissions required for POSH-ACME Route53 Plugin"
+        statements = [
+          {
+            effect = "Allow"
+            actions = [
+              "route53:ListHostedZones",
+            ]
+            resources = ["*"]
+          },
+          {
+            effect = "Allow"
+            actions = [
+              "route53:GetHostedZone",
+              "route53:ListResourceRecordSets",
+              "route53:ChangeResourceRecordSets"
+            ]
+            resources = [
+              "arn:aws:route53:::hostedzone/*",
+            ]
+          },
+        ]
+      }
+    }
+
     lbs = {
       private = merge(local.lbs.private, {
         access_logs_lifecycle_rule = [module.baseline_presets.s3_lifecycle_rules.general_purpose_one_year]
@@ -295,6 +335,16 @@ locals {
               "web-3637-80",
             ]
 
+            default_action = {
+              type = "redirect"
+              redirect = {
+                host        = "cafmwebx2.planetfm.service.justice.gov.uk"
+                port        = "443"
+                protocol    = "HTTPS"
+                status_code = "HTTP_302"
+              }
+            }
+
             rules = {
               web-3637-80 = {
                 priority = 3637
@@ -306,7 +356,6 @@ locals {
                   host_header = {
                     values = [
                       "cafmwebx2.planetfm.service.justice.gov.uk",
-                      "cafmwebx2.az.justice.gov.uk",
                     ]
                   }
                 }]
@@ -333,6 +382,16 @@ locals {
     }
 
     route53_zones = {
+      "cafmtrainweb.az.justice.gov.uk" = {
+        lb_alias_records = [
+          { name = "", type = "A", lbs_map_key = "private" },
+        ]
+      }
+      "cafmwebx2.az.justice.gov.uk" = {
+        records = [
+          { name = "", type = "A", ttl = 300, records = ["10.40.15.201"] },
+        ]
+      }
       "planetfm.service.justice.gov.uk" = {
         records = [
           { name = "_a6a2b9e651b91ed3f1e906b4f1c3c317", type = "CNAME", ttl = 86400, records = ["_c4257165635a7b495df6c4fbd986c09f.mhbtsbpdnt.acm-validations.aws"] },
diff --git a/terraform/environments/planetfm/templates/cloud_watch_windows.json b/terraform/environments/planetfm/templates/cloud_watch_windows.json
index 1dbb63b88cb..82d0dbafc17 100644
--- a/terraform/environments/planetfm/templates/cloud_watch_windows.json
+++ b/terraform/environments/planetfm/templates/cloud_watch_windows.json
@@ -74,10 +74,37 @@
           "Requests Queued",
           "Application Restarts"
         ]
-      }
+      },
+      "procstat": [
+        {
+          "exe": "ssm-agent",
+          "measurement": [
+            "cpu_time_system",
+            "cpu_time_user",
+            "memory_rss",
+            "num_threads",
+            "pid_count",
+            "pid",
+            "read_bytes",
+            "write_bytes"
+          ]
+        },
+        {
+          "exe": "amazon-cloudwatch-agent",
+          "measurement": [
+            "cpu_time_system",
+            "cpu_time_user",
+            "memory_rss",
+            "num_threads",
+            "pid_count",
+            "pid",
+            "read_bytes",
+            "write_bytes"
+          ]
+        }
+      ]
     },
     "append_dimensions": {
-      "ImageId": "${aws:ImageId}",
       "InstanceId": "${aws:InstanceId}",
       "AutoScalingGroupName": "${aws:AutoScalingGroupName}"
     },
diff --git a/terraform/environments/sprinkler/application_variables.json b/terraform/environments/sprinkler/application_variables.json
index c934cc2b8c0..ed8a021a733 100644
--- a/terraform/environments/sprinkler/application_variables.json
+++ b/terraform/environments/sprinkler/application_variables.json
@@ -5,7 +5,7 @@
       "region": "eu-west-2",
       "ecs_type": "FARGATE",
       "rds_storage": 5,
-      "rds_postgresql_version": "12.11",
+      "rds_postgresql_version": "12.15",
       "rds_instance_class": "db.t3.micro"
     },
     "production": {
@@ -13,7 +13,7 @@
       "region": "eu-west-2",
       "ecs_type": "FARGATE",
       "rds_storage": 5,
-      "rds_postgresql_version": "12.11",
+      "rds_postgresql_version": "12.15",
       "rds_instance_class": "db.t3.micro"
     }
   }
diff --git a/terraform/environments/sprinkler/bastion_linux.tf b/terraform/environments/sprinkler/bastion_linux.tf
index 6af4c520bf3..413fff3384c 100644
--- a/terraform/environments/sprinkler/bastion_linux.tf
+++ b/terraform/environments/sprinkler/bastion_linux.tf
@@ -4,7 +4,7 @@ locals {
 
 # tfsec:ignore:aws-s3-enable-bucket-encryption tfsec:ignore:aws-s3-encryption-customer-key tfsec:ignore:aws-s3-enable-bucket-logging tfsec:ignore:aws-s3-enable-versioning
 module "bastion_linux" {
-  source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1"
+  source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=95ed3c3f454e2014a62990aacd5d68c64d026f11" # v4.2.1
 
   providers = {
     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
diff --git a/terraform/environments/sprinkler/monitoring.tf b/terraform/environments/sprinkler/monitoring.tf
index bab04877a3c..9d4e2bcd08a 100644
--- a/terraform/environments/sprinkler/monitoring.tf
+++ b/terraform/environments/sprinkler/monitoring.tf
@@ -45,7 +45,7 @@ module "pagerduty_core_alerts" {
   depends_on = [
     aws_sns_topic.sprinkler_ddos_alarm
   ]
-  source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
+  source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=0179859e6fafc567843cd55c0b05d325d5012dc4" # v2.0.0
   sns_topics                = [aws_sns_topic.sprinkler_ddos_alarm.name]
   pagerduty_integration_key = local.pagerduty_integration_keys["ddos_cloudwatch"]
 }
diff --git a/terraform/environments/sprinkler/platform_versions.tf b/terraform/environments/sprinkler/platform_versions.tf
index e32e62b71b0..84382ce5c56 100644
--- a/terraform/environments/sprinkler/platform_versions.tf
+++ b/terraform/environments/sprinkler/platform_versions.tf
@@ -10,7 +10,11 @@ terraform {
     }
     random = {
       source  = "hashicorp/random"
-      version = "3.6.1"
+      version = "3.6.2"
+    }
+    template = {
+      source  = "hashicorp/template"
+      version = "~> 2"
     }
   }
   required_version = "~> 1.0"
diff --git a/terraform/environments/sprinkler/ssm.tf b/terraform/environments/sprinkler/ssm.tf
index e4d6f952f03..e2a51f3cfc7 100644
--- a/terraform/environments/sprinkler/ssm.tf
+++ b/terraform/environments/sprinkler/ssm.tf
@@ -1,5 +1,5 @@
 module "ssm-auto-patching" {
-  source = "github.com/ministryofjustice/modernisation-platform-terraform-ssm-patching.git?ref=v1.0.0"
+  source = "github.com/ministryofjustice/modernisation-platform-terraform-ssm-patching?ref=58f4d7e159d1670010ee97b83040e37f3c559c87" # v3.1.0
   providers = {
     aws.bucket-replication = aws
   }
diff --git a/terraform/environments/tribunals/asg-shared.tf b/terraform/environments/tribunals/asg-shared.tf
index 29cacceb7f1..79fb6478ea2 100644
--- a/terraform/environments/tribunals/asg-shared.tf
+++ b/terraform/environments/tribunals/asg-shared.tf
@@ -156,6 +156,7 @@ data "aws_ssm_parameter" "ecs_optimized_ami" {
 }
 
 # Create the Launch Template and assign the instance profile
+# Comment out the aws_launch_template and aws_autoscaling_group if you ever need to delete and recreate the ec2 instance
 resource "aws_launch_template" "tribunals-all-lt" {
   name_prefix            = "tribunals-all"
   image_id               = jsondecode(data.aws_ssm_parameter.ecs_optimized_ami.value)["image_id"]
@@ -179,9 +180,9 @@ resource "aws_launch_template" "tribunals-all-lt" {
   network_interfaces {
     device_index                = 0
     security_groups             = [aws_security_group.cluster_ec2.id]
-    subnet_id                   = data.aws_subnet.private_subnets_a.id
+    subnet_id                   = data.aws_subnet.public_subnets_a.id
     delete_on_termination       = true
-    associate_public_ip_address = false
+    associate_public_ip_address = true
   }
 
   tag_specifications {
@@ -198,7 +199,7 @@ resource "aws_launch_template" "tribunals-all-lt" {
 
 # # Finally, create the Auto scaling group for the launch template
 resource "aws_autoscaling_group" "tribunals-all-asg" {
-  vpc_zone_identifier = [data.aws_subnet.private_subnets_a.id]
+  vpc_zone_identifier = [data.aws_subnet.public_subnets_a.id]
   desired_capacity    = 1
   max_size            = 1
   min_size            = 1
diff --git a/terraform/environments/tribunals/load_balancer_sftp.tf b/terraform/environments/tribunals/load_balancer_sftp.tf
index 746413451aa..e684834efe6 100644
--- a/terraform/environments/tribunals/load_balancer_sftp.tf
+++ b/terraform/environments/tribunals/load_balancer_sftp.tf
@@ -15,19 +15,6 @@ resource "aws_security_group" "tribunals_lb_sc_sftp" {
   name        = "tribunals-load-balancer-sg-sftp"
   description = "control access to the network load balancer for sftp"
   vpc_id      = data.aws_vpc.shared.id
-  ingress {
-    description = "allow DOM1 IP range on port 22"
-    from_port   = 22
-    to_port     = 22
-    protocol    = "tcp"
-    cidr_blocks = [
-      "20.26.11.71/32", "20.26.11.108/32", "20.49.214.199/32",
-      "20.49.214.228/32", "51.149.249.0/29", "51.149.249.32/29",
-      "51.149.250.0/24", "128.77.75.64/26", "194.33.200.0/21",
-      "194.33.216.0/23", "194.33.218.0/24", "194.33.248.0/29",
-      "194.33.249.0/29"
-    ]
-  }
   dynamic "ingress" {
     for_each = var.sftp_services
     content {
diff --git a/terraform/modules/baseline_presets/cloudwatch_dashboards.tf b/terraform/modules/baseline_presets/cloudwatch_dashboards.tf
index 57b1867a30c..0fe31ff2563 100644
--- a/terraform/modules/baseline_presets/cloudwatch_dashboards.tf
+++ b/terraform/modules/baseline_presets/cloudwatch_dashboards.tf
@@ -952,6 +952,50 @@ locals {
         }
       }
     }
+    ssm = {
+      ssm-command-invocation-status = {
+        type = "metric"
+        properties = {
+          view    = "singleValue"
+          stacked = true
+          region  = "eu-west-2"
+          title   = "SSM CommandInvocation Failures - Per Account"
+          stat    = "Maximum"
+          period  = 300
+          metrics = [
+            [{ "expression" : "REMOVE_EMPTY(SEARCH('{CustomMetrics, Account} FailedSSMCommandInvocations', 'Sum', 300))", "label" : "Failed Invocations - ", "id" : "q1" }]
+          ]
+          yAxis = {
+            left = {
+              showUnits = false,
+              label     = "failed invocations"
+            }
+          }
+        }
+      }
+    }
+    github = {
+      github-failed-workflow-runs = {
+        type = "metric"
+        properties = {
+          view    = "singleValue"
+          stacked = true
+          region  = "eu-west-2"
+          title   = "GitHub Failed Workflow Runs - Per Repository"
+          stat    = "Maximum"
+          period  = 300
+          metrics = [
+            [{ "expression" : "REMOVE_EMPTY(SEARCH('{CustomMetrics, Repository} FailedGitHubWorkflowRuns', 'Sum', 300))", "label" : "Failed Runs - ", "id" : "q1" }]
+          ]
+          yAxis = {
+            left = {
+              showUnits = false,
+              label     = "failed runs"
+            }
+          }
+        }
+      }
+    }
   }
 
   cloudwatch_dashboard_widget_groups = {
@@ -1082,6 +1126,15 @@ locals {
         local.cloudwatch_dashboard_widgets.network_lb.load-balancer-peak-packets-per-second,
       ]
     }
+    custom = {
+      header_markdown = "## Custom Metrics"
+      width           = 8
+      height          = 8
+      widgets = [
+        local.cloudwatch_dashboard_widgets.ssm.ssm-command-invocation-status,
+        local.cloudwatch_dashboard_widgets.github.github-failed-workflow-runs,
+      ]
+    }
   }
 
   cloudwatch_dashboards = {
diff --git a/terraform/modules/ip_addresses/moj.tf b/terraform/modules/ip_addresses/moj.tf
index d57accfa019..f880ce0d7c1 100644
--- a/terraform/modules/ip_addresses/moj.tf
+++ b/terraform/modules/ip_addresses/moj.tf
@@ -11,6 +11,9 @@ locals {
       "18.130.148.126/32",
       "35.176.148.126/32"
     ]
+    moj_aws_digital_macos_globalprotect_prisma = [
+      "128.77.75.64/26",
+    ]
 
     # for MOJ Official devices
     mojo_aws_globalprotect_vpc = "10.184.0.0/16"
@@ -81,6 +84,7 @@ locals {
     trusted_moj_digital_staff_public = flatten([
       local.moj_cidr.moj_digital_studio_office,
       local.moj_cidr.moj_aws_digital_macos_globalprotect_alpha,
+      local.moj_cidr.moj_aws_digital_macos_globalprotect_prisma,
       local.moj_cidr.mojo_aws_preprod_byoip_cidr,
       local.moj_cidr.mojo_aws_prod_byoip_cidr,
       local.moj_cidr.mojo_arkc_internet_egress_exponential_e,