diff --git a/docs/IACHOWTO.md b/docs/IACHOWTO.md
index 82c6162..ccbd887 100644
--- a/docs/IACHOWTO.md
+++ b/docs/IACHOWTO.md
@@ -15,11 +15,24 @@ $ tfenv use 1.3.9
 
 2. make sure you set up an `AWS_PROFILE` in your `~/.aws/confg|credentials` files for the correct account/region
 
-3. then: `cd /terraform/veda-wfs3`
+3. then: `cd /terraform/<veda-wfs3> || <veda-wfs3-shared-mcp>`
 
-4. then: `AWS_PROFILE=<account> terraform init`
+4. terraform uses s3 as a backend to store state. if this is the first run for the system then the s3 bucket needs to exist before we run `terraform init`. Run the s3 script
 
-5. we also use Terraform "workspaces" so our infra state stays nicely separated in the same S3 bucket. Some quick samples of how to interact with that:
+  ```bash
+  $ cat init.tf | grep -a2 bucket
+  }
+  backend "s3" {
+    bucket         = "veda-wfs3-shared-mcp-prod-tf-state-bucket-v1"
+    key            = "root"
+    region         = "us-west-2"
+  
+  bash ./scripts/init_tf_s3_backend.sh veda-wfs3-shared-mcp-prod-tf-state-bucket-v1 us-west-2
+  ```
+
+6. if this is the first run, then execute: `AWS_PROFILE=<account> terraform init`
+
+7. we also use Terraform "workspaces" so our infra state stays nicely separated in the same S3 bucket. Some quick samples of how to interact with that:
 
 ```bash
 $ AWS_PROFILE=<account> terraform workspace list        
@@ -29,6 +42,9 @@ $ AWS_PROFILE=<account> terraform workspace list
 $ AWS_PROFILE=<account> terraform workspace select west2-staging
   default
 * west2-staging
+
+# if this is the first run you might have to create it
+$ AWS_PROFILE=<account> terraform workspace new west2-staging
 ```
 
 6. before you `plan|apply` changes make sure you `cp envtf.template .envtf.sh` and change values in there for secrets needed
diff --git a/envtf.template b/envtf.template
index 77e88a4..a547458 100644
--- a/envtf.template
+++ b/envtf.template
@@ -1,18 +1,6 @@
 #!/bin/sh
-# copy and rename this file to `.envtf.sh` and fill out values below
-
-###################################################################
-# only needed if you want to run `veda-wfs3-app/cd.sh` script
-# manually as a form of CD without CI
-###################################################################
-export TARGET_ENVIRONMENT=dev
-export TARGET_PROJECT_NAME=veda-wfs3
-
-##################################################################
-# currently we don't want to encrypt/decrypt and store secrets in
-# terraform/veda-wfs3/vars/*.tf. The basic workaround then
-# is to store them in AWS Secret Manager (where they will be used
-# by TF) and pump them locally into runs through OS env var(s)
-##################################################################
-# TODO: get this from AWS secret manager and hydrate locally, the SM key is `veda-wfs3-db-config`
-export TF_VAR_db_password=''
\ No newline at end of file
+######################################################################
+# run `./scripts/sync-env.sh` to quickly dump secret manager values to a file
+######################################################################
+export TF_VAR_vpc_id=''
+export TF_VAR_cloudfront_distribution_id=''
\ No newline at end of file
diff --git a/scripts/init_tf_s3_backend.sh b/scripts/init_tf_s3_backend.sh
new file mode 100644
index 0000000..5d67e15
--- /dev/null
+++ b/scripts/init_tf_s3_backend.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+
+BUCKET_NAME=$1
+REGION=$2
+
+# Check if the bucket exists
+if !aws s3 ls "s3://$BUCKET_NAME" 2>&1 | grep -q 'NoSuchBucket'; then
+  echo "Bucket exists, proceeding..."
+else
+  echo "Bucket does not exist, creating now..."
+  aws s3api create-bucket --bucket $BUCKET_NAME --region $REGION --create-bucket-configuration LocationConstraint=$REGION
+fi
\ No newline at end of file
diff --git a/scripts/sync-env.sh b/scripts/sync-env.sh
new file mode 100755
index 0000000..23ffea2
--- /dev/null
+++ b/scripts/sync-env.sh
@@ -0,0 +1,2 @@
+echo Loading environment secrets from $1
+aws secretsmanager get-secret-value --secret-id $1 --query SecretString --output text | jq -r "to_entries|map(\"TF_VAR_\(.key)=\(.value|tostring)\")|.[]" > .envtf.sh.new
\ No newline at end of file
diff --git a/terraform/modules/aws_ecs_service/main.tf b/terraform/modules/aws_ecs_service/main.tf
index 1a2666c..0dd0ac6 100755
--- a/terraform/modules/aws_ecs_service/main.tf
+++ b/terraform/modules/aws_ecs_service/main.tf
@@ -1,12 +1,3 @@
-########################################################################
-# Data Bits
-########################################################################
-data "aws_ecr_repository" "service" {
-  count = var.use_ecr ? 1 : 0
-  name  = var.ecr_repository_name
-}
-
-
 ########################################################################
 # IAM
 ########################################################################
@@ -64,7 +55,7 @@ data "aws_iam_policy_document" "ecs_ecr_access_attachment" {
     ]
 
     resources = [
-      data.aws_ecr_repository.service[0].arn,
+      var.ecr_repository_arn,
     ]
   }
 
diff --git a/terraform/modules/aws_ecs_service/variables.tf b/terraform/modules/aws_ecs_service/variables.tf
index bba749f..0c2a568 100755
--- a/terraform/modules/aws_ecs_service/variables.tf
+++ b/terraform/modules/aws_ecs_service/variables.tf
@@ -113,7 +113,8 @@ variable "use_adot_as_sidecar" {
   description = "If enabled, add ADOT task definition to existing task definitions"
 }
 
-variable "ecr_repository_name" {}
+variable "ecr_repository_arn" {}
+
 variable "image" {}
 
 variable "load_balancer" {
diff --git a/terraform/veda-wfs3-shared-mcp/.gitignore b/terraform/veda-wfs3-shared-mcp/.gitignore
new file mode 100644
index 0000000..4056b35
--- /dev/null
+++ b/terraform/veda-wfs3-shared-mcp/.gitignore
@@ -0,0 +1,3 @@
+*.tfstate
+.terraform
+*.zip
diff --git a/terraform/veda-wfs3-shared-mcp/.terraform.lock.hcl b/terraform/veda-wfs3-shared-mcp/.terraform.lock.hcl
new file mode 100644
index 0000000..e495b7d
--- /dev/null
+++ b/terraform/veda-wfs3-shared-mcp/.terraform.lock.hcl
@@ -0,0 +1,99 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/archive" {
+  version = "2.4.0"
+  hashes = [
+    "h1:ZtsrX5F13Ohsv/k/BvgyBVn0gF+lW4bkG7JmCGrN35Y=",
+    "zh:18e408596dd53048f7fc8229098d0e3ad940b92036a24287eff63e2caec72594",
+    "zh:392d4216ecd1a1fd933d23f4486b642a8480f934c13e2cae3c13b6b6a7e34a7b",
+    "zh:655dd1fa5ca753a4ace21d0de3792d96fff429445717f2ce31c125d19c38f3ff",
+    "zh:70dae36c176aa2b258331ad366a471176417a94dd3b4985a911b8be9ff842b00",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:7d8c8e3925f1e21daf73f85983894fbe8868e326910e6df3720265bc657b9c9c",
+    "zh:a032ec0f0aee27a789726e348e8ad20778c3a1c9190ef25e7cff602c8d175f44",
+    "zh:b8e50de62ba185745b0fe9713755079ad0e9f7ac8638d204de6762cc36870410",
+    "zh:c8ad0c7697a3d444df21ff97f3473a8604c8639be64afe3f31b8ec7ad7571e18",
+    "zh:df736c5a2a7c3a82c5493665f659437a22f0baf8c2d157e45f4dd7ca40e739fc",
+    "zh:e8ffbf578a0977074f6d08aa8734e36c726e53dc79894cfc4f25fadc4f45f1df",
+    "zh:efea57ff23b141551f92b2699024d356c7ffd1a4ad62931da7ed7a386aef7f1f",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/aws" {
+  version     = "4.67.0"
+  constraints = "~> 4.0"
+  hashes = [
+    "h1:P43vwcDPG99x5WBbmqwUPgfJrfXf6/ucAIbGlRb7k1w=",
+    "zh:0843017ecc24385f2b45f2c5fce79dc25b258e50d516877b3affee3bef34f060",
+    "zh:19876066cfa60de91834ec569a6448dab8c2518b8a71b5ca870b2444febddac6",
+    "zh:24995686b2ad88c1ffaa242e36eee791fc6070e6144f418048c4ce24d0ba5183",
+    "zh:4a002990b9f4d6d225d82cb2fb8805789ffef791999ee5d9cb1fef579aeff8f1",
+    "zh:559a2b5ace06b878c6de3ecf19b94fbae3512562f7a51e930674b16c2f606e29",
+    "zh:6a07da13b86b9753b95d4d8218f6dae874cf34699bca1470d6effbb4dee7f4b7",
+    "zh:768b3bfd126c3b77dc975c7c0e5db3207e4f9997cf41aa3385c63206242ba043",
+    "zh:7be5177e698d4b547083cc738b977742d70ed68487ce6f49ecd0c94dbf9d1362",
+    "zh:8b562a818915fb0d85959257095251a05c76f3467caa3ba95c583ba5fe043f9b",
+    "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
+    "zh:9c385d03a958b54e2afd5279cd8c7cbdd2d6ca5c7d6a333e61092331f38af7cf",
+    "zh:b3ca45f2821a89af417787df8289cb4314b273d29555ad3b2a5ab98bb4816b3b",
+    "zh:da3c317f1db2469615ab40aa6baba63b5643bae7110ff855277a1fb9d8eb4f2c",
+    "zh:dc6430622a8dc5cdab359a8704aec81d3825ea1d305bbb3bbd032b1c6adfae0c",
+    "zh:fac0d2ddeadf9ec53da87922f666e1e73a603a611c57bcbc4b86ac2821619b1d",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/null" {
+  version = "3.2.1"
+  hashes = [
+    "h1:tSj1mL6OQ8ILGqR2mDu7OYYYWf+hoir0pf9KAQ8IzO8=",
+    "zh:58ed64389620cc7b82f01332e27723856422820cfd302e304b5f6c3436fb9840",
+    "zh:62a5cc82c3b2ddef7ef3a6f2fedb7b9b3deff4ab7b414938b08e51d6e8be87cb",
+    "zh:63cff4de03af983175a7e37e52d4bd89d990be256b16b5c7f919aff5ad485aa5",
+    "zh:74cb22c6700e48486b7cabefa10b33b801dfcab56f1a6ac9b6624531f3d36ea3",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:79e553aff77f1cfa9012a2218b8238dd672ea5e1b2924775ac9ac24d2a75c238",
+    "zh:a1e06ddda0b5ac48f7e7c7d59e1ab5a4073bbcf876c73c0299e4610ed53859dc",
+    "zh:c37a97090f1a82222925d45d84483b2aa702ef7ab66532af6cbcfb567818b970",
+    "zh:e4453fbebf90c53ca3323a92e7ca0f9961427d2f0ce0d2b65523cc04d5d999c2",
+    "zh:e80a746921946d8b6761e77305b752ad188da60688cfd2059322875d363be5f5",
+    "zh:fbdb892d9822ed0e4cb60f2fedbdbb556e4da0d88d3b942ae963ed6ff091e48f",
+    "zh:fca01a623d90d0cad0843102f9b8b9fe0d3ff8244593bd817f126582b52dd694",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/random" {
+  version = "3.5.1"
+  hashes = [
+    "h1:sZ7MTSD4FLekNN2wSNFGpM+5slfvpm5A/NLVZiB7CO0=",
+    "zh:04e3fbd610cb52c1017d282531364b9c53ef72b6bc533acb2a90671957324a64",
+    "zh:119197103301ebaf7efb91df8f0b6e0dd31e6ff943d231af35ee1831c599188d",
+    "zh:4d2b219d09abf3b1bb4df93d399ed156cadd61f44ad3baf5cf2954df2fba0831",
+    "zh:6130bdde527587bbe2dcaa7150363e96dbc5250ea20154176d82bc69df5d4ce3",
+    "zh:6cc326cd4000f724d3086ee05587e7710f032f94fc9af35e96a386a1c6f2214f",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:b6d88e1d28cf2dfa24e9fdcc3efc77adcdc1c3c3b5c7ce503a423efbdd6de57b",
+    "zh:ba74c592622ecbcef9dc2a4d81ed321c4e44cddf7da799faa324da9bf52a22b2",
+    "zh:c7c5cde98fe4ef1143bd1b3ec5dc04baf0d4cc3ca2c5c7d40d17c0e9b2076865",
+    "zh:dac4bad52c940cd0dfc27893507c1e92393846b024c5a9db159a93c534a3da03",
+    "zh:de8febe2a2acd9ac454b844a4106ed295ae9520ef54dc8ed2faf29f12716b602",
+    "zh:eab0d0495e7e711cca367f7d4df6e322e6c562fc52151ec931176115b83ed014",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/template" {
+  version = "2.2.0"
+  hashes = [
+    "h1:0wlehNaxBX7GJQnPfQwTNvvAf38Jm0Nv7ssKGMaG6Og=",
+    "zh:01702196f0a0492ec07917db7aaa595843d8f171dc195f4c988d2ffca2a06386",
+    "zh:09aae3da826ba3d7df69efeb25d146a1de0d03e951d35019a0f80e4f58c89b53",
+    "zh:09ba83c0625b6fe0a954da6fbd0c355ac0b7f07f86c91a2a97849140fea49603",
+    "zh:0e3a6c8e16f17f19010accd0844187d524580d9fdb0731f675ffcf4afba03d16",
+    "zh:45f2c594b6f2f34ea663704cc72048b212fe7d16fb4cfd959365fa997228a776",
+    "zh:77ea3e5a0446784d77114b5e851c970a3dde1e08fa6de38210b8385d7605d451",
+    "zh:8a154388f3708e3df5a69122a23bdfaf760a523788a5081976b3d5616f7d30ae",
+    "zh:992843002f2db5a11e626b3fc23dc0c87ad3729b3b3cff08e32ffb3df97edbde",
+    "zh:ad906f4cebd3ec5e43d5cd6dc8f4c5c9cc3b33d2243c89c5fc18f97f7277b51d",
+    "zh:c979425ddb256511137ecd093e23283234da0154b7fa8b21c2687182d9aea8b2",
+  ]
+}
diff --git a/terraform/veda-wfs3-shared-mcp/cloudfront_cache_policy.tf b/terraform/veda-wfs3-shared-mcp/cloudfront_cache_policy.tf
new file mode 100644
index 0000000..fe95adf
--- /dev/null
+++ b/terraform/veda-wfs3-shared-mcp/cloudfront_cache_policy.tf
@@ -0,0 +1,24 @@
+resource "aws_cloudfront_cache_policy" "tfer--4135ea2d-6df8-44a3-9df3-4b5a84be39ad" {
+  comment     = "Policy with caching disabled"
+  default_ttl = "0"
+  max_ttl     = "0"
+  min_ttl     = "0"
+  name        = "Managed-CachingDisabled"
+
+  parameters_in_cache_key_and_forwarded_to_origin {
+    cookies_config {
+      cookie_behavior = "none"
+    }
+
+    enable_accept_encoding_brotli = "false"
+    enable_accept_encoding_gzip   = "false"
+
+    headers_config {
+      header_behavior = "none"
+    }
+
+    query_strings_config {
+      query_string_behavior = "none"
+    }
+  }
+}
\ No newline at end of file
diff --git a/terraform/veda-wfs3-shared-mcp/cloudfront_distribution.tf b/terraform/veda-wfs3-shared-mcp/cloudfront_distribution.tf
new file mode 100644
index 0000000..23097e3
--- /dev/null
+++ b/terraform/veda-wfs3-shared-mcp/cloudfront_distribution.tf
@@ -0,0 +1,196 @@
+resource "aws_cloudfront_distribution" "tfer--E1MYAUHEUHR59N" {
+  aliases = ["alex.delta-backend.xyz"]
+  comment = "veda-backend-alex"
+
+  default_cache_behavior {
+    allowed_methods        = ["GET", "HEAD"]
+    cache_policy_id        = "${aws_cloudfront_cache_policy.tfer--4135ea2d-6df8-44a3-9df3-4b5a84be39ad.id}"
+    cached_methods         = ["GET", "HEAD"]
+    compress               = "true"
+    default_ttl            = "0"
+    max_ttl                = "0"
+    min_ttl                = "0"
+    smooth_streaming       = "false"
+    target_origin_id       = "stac-browser"
+    viewer_protocol_policy = "allow-all"
+  }
+
+  enabled         = "true"
+  http_version    = "http2"
+  is_ipv6_enabled = "true"
+
+  ordered_cache_behavior {
+    allowed_methods        = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
+    cache_policy_id        = "${aws_cloudfront_cache_policy.tfer--4135ea2d-6df8-44a3-9df3-4b5a84be39ad.id}"
+    cached_methods         = ["GET", "HEAD"]
+    compress               = "true"
+    default_ttl            = "0"
+    max_ttl                = "0"
+    min_ttl                = "0"
+    path_pattern           = "/api/ingest*"
+    smooth_streaming       = "false"
+    target_origin_id       = "ingest-api"
+    viewer_protocol_policy = "allow-all"
+  }
+
+  ordered_cache_behavior {
+    allowed_methods          = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
+    cache_policy_id          = "${aws_cloudfront_cache_policy.tfer--4135ea2d-6df8-44a3-9df3-4b5a84be39ad.id}"
+    cached_methods           = ["GET", "HEAD"]
+    compress                 = "true"
+    default_ttl              = "0"
+    max_ttl                  = "0"
+    min_ttl                  = "0"
+    origin_request_policy_id = "b689b0a8-53d0-40ab-baf2-68738e2966ac"
+    path_pattern             = "/api/stac*"
+    smooth_streaming         = "false"
+    target_origin_id         = "stac-api"
+    viewer_protocol_policy   = "allow-all"
+  }
+
+  ordered_cache_behavior {
+    allowed_methods          = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
+    cache_policy_id          = "${aws_cloudfront_cache_policy.tfer--4135ea2d-6df8-44a3-9df3-4b5a84be39ad.id}"
+    cached_methods           = ["GET", "HEAD"]
+    compress                 = "true"
+    default_ttl              = "0"
+    max_ttl                  = "0"
+    min_ttl                  = "0"
+    origin_request_policy_id = "b689b0a8-53d0-40ab-baf2-68738e2966ac"
+    path_pattern             = "/api/raster*"
+    smooth_streaming         = "false"
+    target_origin_id         = "raster-api"
+    viewer_protocol_policy   = "allow-all"
+  }
+
+  ordered_cache_behavior {
+    allowed_methods          = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
+    cache_policy_id          = "${aws_cloudfront_cache_policy.tfer--4135ea2d-6df8-44a3-9df3-4b5a84be39ad.id}"
+    cached_methods           = ["GET", "HEAD"]
+    compress                 = "true"
+    default_ttl              = "0"
+    max_ttl                  = "0"
+    min_ttl                  = "0"
+    origin_request_policy_id = "b689b0a8-53d0-40ab-baf2-68738e2966ac"
+    path_pattern             = "/api/features*"
+    smooth_streaming         = "false"
+    target_origin_id         = "features-api"
+    viewer_protocol_policy   = "allow-all"
+  }
+
+  origin {
+    connection_attempts = "3"
+    connection_timeout  = "10"
+
+    custom_origin_config {
+      http_port                = "80"
+      https_port               = "443"
+      origin_keepalive_timeout = "5"
+      origin_protocol_policy   = "http-only"
+      origin_read_timeout      = "30"
+      origin_ssl_protocols     = ["TLSv1.2"]
+    }
+
+    domain_name = "veda-dev-stac-browser.s3-website-us-west-2.amazonaws.com"
+    origin_id   = "stac-browser"
+  }
+
+  origin {
+    connection_attempts = "3"
+    connection_timeout  = "10"
+
+    custom_origin_config {
+      http_port                = "80"
+      https_port               = "443"
+      origin_keepalive_timeout = "5"
+      origin_protocol_policy   = "https-only"
+      origin_read_timeout      = "30"
+      origin_ssl_protocols     = ["TLSv1.2"]
+    }
+
+    domain_name = "6r8ht9b123.execute-api.us-west-2.amazonaws.com"
+    origin_id   = "ingest-api"
+  }
+
+  origin {
+    connection_attempts = "3"
+    connection_timeout  = "10"
+
+    custom_origin_config {
+      http_port                = "80"
+      https_port               = "443"
+      origin_keepalive_timeout = "5"
+      origin_protocol_policy   = "https-only"
+      origin_read_timeout      = "30"
+      origin_ssl_protocols     = ["TLSv1.2"]
+    }
+
+    domain_name = "czkqaklfbb.execute-api.us-west-2.amazonaws.com"
+    origin_id   = "raster-api"
+  }
+
+  origin {
+    connection_attempts = "3"
+    connection_timeout  = "10"
+
+    custom_origin_config {
+      http_port                = "80"
+      https_port               = "443"
+      origin_keepalive_timeout = "5"
+      origin_protocol_policy   = "https-only"
+      origin_read_timeout      = "30"
+      origin_ssl_protocols     = ["TLSv1.2"]
+    }
+
+    domain_name = "ll8eozrj0b.execute-api.us-west-2.amazonaws.com"
+    origin_id   = "stac-api"
+  }
+
+  origin {
+    connection_attempts = "3"
+    connection_timeout  = "10"
+
+    custom_origin_config {
+      http_port                = "80"
+      https_port               = "443"
+      origin_keepalive_timeout = "5"
+      origin_protocol_policy   = "http-only"
+      origin_read_timeout      = "30"
+      origin_ssl_protocols     = ["TLSv1.2"]
+    }
+
+    domain_name = "${aws_alb.alb_ecs.dns_name}"
+    origin_id   = "features-api"
+  }
+
+  price_class = "PriceClass_All"
+
+  restrictions {
+    geo_restriction {
+      restriction_type = "none"
+    }
+  }
+
+  retain_on_delete = "false"
+
+  tags = {
+    Client  = "nasa-impact"
+    Owner   = "ds"
+    Project = "veda-backend"
+    Stack   = "alex"
+  }
+
+  tags_all = {
+    Client  = "nasa-impact"
+    Owner   = "ds"
+    Project = "veda-backend"
+    Stack   = "alex"
+  }
+
+  viewer_certificate {
+    acm_certificate_arn            = "arn:aws:acm:us-east-1:853558080719:certificate/01fc600d-f6b9-4581-b1a8-ac0a68cff7a1"
+    cloudfront_default_certificate = "false"
+    minimum_protocol_version       = "TLSv1.2_2021"
+    ssl_support_method             = "sni-only"
+  }
+}
\ No newline at end of file
diff --git a/terraform/veda-wfs3-shared-mcp/dns.tf b/terraform/veda-wfs3-shared-mcp/dns.tf
new file mode 100644
index 0000000..829cecb
--- /dev/null
+++ b/terraform/veda-wfs3-shared-mcp/dns.tf
@@ -0,0 +1,34 @@
+#data "aws_route53_zone" "zone" {
+#  provider = aws.west2
+#  name     = var.dns_zone_name
+#}
+#
+#resource "aws_acm_certificate" "cert" {
+#  provider = aws.west2
+#  domain_name               = "*.${data.aws_route53_zone.zone.name}"
+#  validation_method         = "DNS"
+#  tags                      = var.tags
+#
+#  lifecycle {
+#    create_before_destroy = true
+#  }
+#}
+#
+#resource "aws_route53_record" "subdomain_record" {
+#  provider = aws.west2
+#  name     = "${var.dns_subdomain}.${data.aws_route53_zone.zone.name}"
+#  zone_id  = data.aws_route53_zone.zone.id
+#  type     = "A"
+#
+#  alias {
+#    name                   = aws_alb.alb_ecs.dns_name
+#    zone_id                = aws_alb.alb_ecs.zone_id
+#    evaluate_target_health = true
+#  }
+#}
+#
+#resource "aws_lb_listener_certificate" "cert" {
+#  provider = aws.west2
+#  listener_arn    = aws_alb_listener.alb_listener_ecs.arn
+#  certificate_arn = aws_acm_certificate.cert.arn
+#}
\ No newline at end of file
diff --git a/terraform/veda-wfs3-shared-mcp/ecr.tf b/terraform/veda-wfs3-shared-mcp/ecr.tf
new file mode 100644
index 0000000..ae50cb5
--- /dev/null
+++ b/terraform/veda-wfs3-shared-mcp/ecr.tf
@@ -0,0 +1,77 @@
+#module "ecr_registry" {
+#  source = "github.com/developmentseed/tf-seed/modules/aws_ecr"
+#  environment              = var.env
+#  registry_name            = var.registry_name
+#  enable_registry_scanning = true
+#  mutable_image_tags       = true
+#  enable_deploy_user       = true
+#  iam_deploy_username      = aws_iam_user.deploy_user.name
+#  tags = var.tags
+#}
+
+resource "aws_iam_user_policy" "default_deploy_user" {
+  name   = "${var.registry_name}-${var.env}-deploy-policy"
+  user   = aws_iam_user.deploy_user.name
+  policy = data.aws_iam_policy_document.deploy.json
+}
+
+data "aws_iam_policy_document" "deploy" {
+  statement {
+    actions = [
+      "sts:GetServiceBearerToken",
+      "ecr-public:*",
+      "ecr:GetAuthorizationToken",
+      "ecr:BatchCheckLayerAvailability",
+      "ecr:GetDownloadUrlForLayer",
+      "ecr:GetRepositoryPolicy",
+      "ecr:DescribeRepositories",
+      "ecr:ListImages",
+      "ecr:DescribeImages",
+      "ecr:BatchGetImage"
+    ]
+
+    resources = [
+      "*"
+    ]
+  }
+
+  statement {
+    actions = [
+      "ecr:InitiateLayerUpload",
+      "ecr:UploadLayerPart",
+      "ecr:CompleteLayerUpload",
+      "ecr:PutImage"
+    ]
+
+    resources = [
+      aws_ecr_repository.service.arn
+    ]
+  }
+}
+
+resource "aws_ecr_repository" "service" {
+  name = "tf-${var.registry_name}-${var.env}-v2"
+  image_tag_mutability = "MUTABLE"
+
+  image_scanning_configuration {
+    scan_on_push = false
+  }
+
+  tags = var.tags
+}
+
+resource "null_resource" "build_ecr_image_wfs" {
+  triggers = {
+    folder_path = sha1(join("", [for f in fileset("../../veda-wfs3-app", "*") : filesha1("../../veda-wfs3-app/${f}")]))
+  }
+
+  provisioner "local-exec" {
+    command = <<EOF
+          cd ../../veda-wfs3-app
+          aws ecr get-login-password --region ${var.region} | docker login --username AWS --password-stdin ${aws_ecr_repository.service.repository_url}
+          docker build -t ${aws_ecr_repository.service.repository_url}:latest .
+          docker push ${aws_ecr_repository.service.repository_url}:latest
+          cd -
+       EOF
+  }
+}
\ No newline at end of file
diff --git a/terraform/veda-wfs3-shared-mcp/ecs_api.tf b/terraform/veda-wfs3-shared-mcp/ecs_api.tf
new file mode 100644
index 0000000..533bf24
--- /dev/null
+++ b/terraform/veda-wfs3-shared-mcp/ecs_api.tf
@@ -0,0 +1,124 @@
+module "ecs_cluster" {
+  source = "../modules/aws_ecs_service"
+  environment = var.env
+  region      = var.region
+  vpc_id      = "${data.aws_vpc.vpc.id}"
+  subnet_ids  = data.aws_subnets.private_subnet_ids.ids
+
+  service_name       = "${var.project_name}-service"
+  service_port       = var.service_port
+  service_protocol   = "tcp"
+  cpu                = 2048
+  memory             = 4096
+  instance_count     = 1
+  log_retention_days = 60
+
+  container_command           = ["/bin/bash", "startup.sh"]
+  container_working_directory = "/tmp/"
+
+  container_secrets = [
+    {
+      name = "AWS_CONFIG"
+      valueFrom = aws_secretsmanager_secret.config.arn
+    },
+    {
+      name = "DB_CONFIG"
+      valueFrom = aws_secretsmanager_secret.db_config.arn
+    },
+  ]
+
+  container_environment = [
+    {
+      name  = "ENVIRONMENT"
+      value = var.env
+    },
+    {
+      name  = "IS_ECS"
+      value = "True"
+    },
+    {
+      name = "OTEL_PROPAGATORS"
+      value = "xray"
+    },
+    {
+      name = "OTEL_PYTHON_ID_GENERATOR"
+      value = "xray"
+    },
+    {
+      name = "OTEL_RESOURCE_ATTRIBUTES"
+      value = "service.name=veda-wfs3-${var.env}"
+    },
+    {
+      name = "OTEL_RESOURCE_ATTRIBUTES"
+      value = "service.name=veda-wfs3-${var.env}"
+    },
+    {
+      name = "OTEL_TRACES_SAMPLER"
+      value = "traceidratio"
+    },
+    {
+      name = "OTEL_TRACES_SAMPLER_ARG"
+      value = "0.5"
+    },
+    {
+      name = "FORWARDED_ALLOW_IPS"
+      value = "*"
+    },
+    {
+      name = "FAST_API_SCHEME"
+      value = "${var.ecs_protocol}"
+    },
+    {
+      name = "TIPG_CATALOG_TTL"
+      value = "300"
+    }
+  ]
+
+  container_ingress_cidrs = ["0.0.0.0/0"]
+  container_ingress_sg_ids = []
+
+  use_adot_as_sidecar = false
+  use_ecr = true
+  ecr_repository_arn  = aws_ecr_repository.service.arn
+  image = "${aws_ecr_repository.service.repository_url}:latest"
+
+  load_balancer = true
+  lb_type = "application"
+  lb_target_group_arn = aws_alb_target_group.alb_target_group.arn
+  lb_security_group_id = aws_security_group.web_inbound_sg.id
+  lb_container_port = var.service_port
+
+  tags = var.tags
+}
+
+##############################################################
+# The ECS task execution role represented by the output
+# `module.ecs_cluster.ecs_execution_role_id`
+# requires additional policies depending on what it needs
+# to access in AWS. Hence the attachments below
+##############################################################
+
+##############################################################
+# give acess to AWS secret manager to access
+# `container_secrets` pumped into the task above
+#
+data "aws_iam_policy_document" "api_ecs_execution_attachment" {
+  statement {
+    actions = [
+      "secretsmanager:DescribeSecret",
+      "secretsmanager:GetSecretValue",
+      "kms:Decrypt",
+    ]
+
+    resources = [
+      aws_secretsmanager_secret.config.arn,
+      aws_secretsmanager_secret.db_config.arn
+    ]
+  }
+}
+
+resource "aws_iam_role_policy" "api_ecs_execution_role_policy" {
+  name   = "${var.project_name}-api-access-secret-manager"
+  role   = module.ecs_cluster.ecs_execution_role_id
+  policy = data.aws_iam_policy_document.api_ecs_execution_attachment.json
+}
diff --git a/terraform/veda-wfs3-shared-mcp/functions/s3_event_bridge_to_sfn_execute/lambda_function.py b/terraform/veda-wfs3-shared-mcp/functions/s3_event_bridge_to_sfn_execute/lambda_function.py
new file mode 100644
index 0000000..d524d83
--- /dev/null
+++ b/terraform/veda-wfs3-shared-mcp/functions/s3_event_bridge_to_sfn_execute/lambda_function.py
@@ -0,0 +1,57 @@
+import boto3
+import http.client
+import os
+import base64
+import ast
+import json
+mwaa_env_name = 'veda-pipeline-staging-mwaa'
+dag_name = 'veda_discover'
+mwaa_cli_command = 'dags trigger'
+client = boto3.client('mwaa')
+
+
+def lambda_handler(event, context):
+    for record in event['Records']:
+        print(f"[ RECORD ]: {record}")
+        s3_event_key = record['s3']['object']['key']
+        print(f"[ S3 EVENT KEY ]: {s3_event_key}")
+        s3_filename_target = os.path.split(s3_event_key)[-1]
+        print(f"[ S3 FILENAME TARGET ]: {s3_filename_target}")
+        s3_filename_no_ext = os.path.splitext(s3_filename_target)[0]
+        print(f"[ S3 FILENAME NO EXT ]: {s3_filename_no_ext}")
+
+        bucket_key_prefix = "EIS/FEDSoutput/Snapshot/"
+        if s3_filename_no_ext.startswith("lf_"):
+            bucket_key_prefix = "EIS/FEDSoutput/LFArchive/"
+
+        # get web token
+        mwaa_cli_token = client.create_cli_token(
+            Name=mwaa_env_name
+        )
+        print(f"[ CLI TOKEN ]: {mwaa_cli_token}")
+        serialized_args = json.dumps({
+                    "discovery": "s3",
+                    "collection": s3_filename_no_ext,
+                    "prefix": bucket_key_prefix,
+                    "bucket": "veda-data-store-staging",
+                    "filename_regex": f"^(.*){s3_filename_target}$",
+                    "vector": True
+        })
+        conn = http.client.HTTPSConnection(mwaa_cli_token['WebServerHostname'])
+        payload = f"{mwaa_cli_command} {dag_name} --conf '{serialized_args}'"
+        print(f"[ CLI PAYLOAD ]: {payload}")
+        headers = {
+          'Authorization': 'Bearer ' + mwaa_cli_token['CliToken'],
+          'Content-Type': 'text/plain'
+        }
+        conn.request("POST", "/aws_mwaa/cli", payload, headers)
+        res = conn.getresponse()
+        data = res.read()
+        dict_str = data.decode("UTF-8")
+        mydata = ast.literal_eval(dict_str)
+        print(f"[ DATA ]: {mydata}")
+        print(f"[ STDOUT ]: {base64.b64decode(mydata['stdout'])}")
+    return {
+        'statusCode': 200,
+        'body': json.dumps('Hello from Lambda!')
+    }
\ No newline at end of file
diff --git a/terraform/veda-wfs3-shared-mcp/functions/s3_event_bridge_to_sfn_execute/requirements.txt b/terraform/veda-wfs3-shared-mcp/functions/s3_event_bridge_to_sfn_execute/requirements.txt
new file mode 100644
index 0000000..1db657b
--- /dev/null
+++ b/terraform/veda-wfs3-shared-mcp/functions/s3_event_bridge_to_sfn_execute/requirements.txt
@@ -0,0 +1 @@
+boto3
\ No newline at end of file
diff --git a/terraform/veda-wfs3-shared-mcp/generated/aws/cloudfront/cloudfront_cache_policy.tf b/terraform/veda-wfs3-shared-mcp/generated/aws/cloudfront/cloudfront_cache_policy.tf
new file mode 100755
index 0000000..f0a35ac
--- /dev/null
+++ b/terraform/veda-wfs3-shared-mcp/generated/aws/cloudfront/cloudfront_cache_policy.tf
@@ -0,0 +1,189 @@
+resource "aws_cloudfront_cache_policy" "tfer--08627262-05a9-4f76-9ded-b50ca2e3a84f" {
+  comment     = "Policy for Elemental MediaPackage Origin"
+  default_ttl = "86400"
+  max_ttl     = "31536000"
+  min_ttl     = "0"
+  name        = "Managed-Elemental-MediaPackage"
+
+  parameters_in_cache_key_and_forwarded_to_origin {
+    cookies_config {
+      cookie_behavior = "none"
+    }
+
+    enable_accept_encoding_brotli = "false"
+    enable_accept_encoding_gzip   = "true"
+
+    headers_config {
+      header_behavior = "whitelist"
+
+      headers {
+        items = ["origin"]
+      }
+    }
+
+    query_strings_config {
+      query_string_behavior = "whitelist"
+
+      query_strings {
+        items = ["aws.manifestfilter", "end", "m", "start"]
+      }
+    }
+  }
+}
+
+resource "aws_cloudfront_cache_policy" "tfer--28a8e074-fa92-49d8-b10d-b4f912db6176" {
+  default_ttl = "86400"
+  max_ttl     = "31536000"
+  min_ttl     = "1"
+  name        = "try-q-all"
+
+  parameters_in_cache_key_and_forwarded_to_origin {
+    cookies_config {
+      cookie_behavior = "none"
+    }
+
+    enable_accept_encoding_brotli = "true"
+    enable_accept_encoding_gzip   = "true"
+
+    headers_config {
+      header_behavior = "none"
+    }
+
+    query_strings_config {
+      query_string_behavior = "all"
+    }
+  }
+}
+
+resource "aws_cloudfront_cache_policy" "tfer--2e54312d-136d-493c-8eb9-b001f22f67d2" {
+  comment     = "Policy for Amplify Origin"
+  default_ttl = "2"
+  max_ttl     = "600"
+  min_ttl     = "2"
+  name        = "Managed-Amplify"
+
+  parameters_in_cache_key_and_forwarded_to_origin {
+    cookies_config {
+      cookie_behavior = "all"
+    }
+
+    enable_accept_encoding_brotli = "true"
+    enable_accept_encoding_gzip   = "true"
+
+    headers_config {
+      header_behavior = "whitelist"
+
+      headers {
+        items = ["Authorization", "CloudFront-Viewer-Country", "Host"]
+      }
+    }
+
+    query_strings_config {
+      query_string_behavior = "all"
+    }
+  }
+}
+
+resource "aws_cloudfront_cache_policy" "tfer--4135ea2d-6df8-44a3-9df3-4b5a84be39ad" {
+  comment     = "Policy with caching disabled"
+  default_ttl = "0"
+  max_ttl     = "0"
+  min_ttl     = "0"
+  name        = "Managed-CachingDisabled"
+
+  parameters_in_cache_key_and_forwarded_to_origin {
+    cookies_config {
+      cookie_behavior = "none"
+    }
+
+    enable_accept_encoding_brotli = "false"
+    enable_accept_encoding_gzip   = "false"
+
+    headers_config {
+      header_behavior = "none"
+    }
+
+    query_strings_config {
+      query_string_behavior = "none"
+    }
+  }
+}
+
+resource "aws_cloudfront_cache_policy" "tfer--658327ea-f89d-4fab-a63d-7e88639e58f6" {
+  comment     = "Policy with caching enabled. Supports Gzip and Brotli compression."
+  default_ttl = "86400"
+  max_ttl     = "31536000"
+  min_ttl     = "1"
+  name        = "Managed-CachingOptimized"
+
+  parameters_in_cache_key_and_forwarded_to_origin {
+    cookies_config {
+      cookie_behavior = "none"
+    }
+
+    enable_accept_encoding_brotli = "true"
+    enable_accept_encoding_gzip   = "true"
+
+    headers_config {
+      header_behavior = "none"
+    }
+
+    query_strings_config {
+      query_string_behavior = "none"
+    }
+  }
+}
+
+resource "aws_cloudfront_cache_policy" "tfer--b2884449-e4de-46a7-ac36-70bc7f1ddd6d" {
+  comment     = "Default policy when compression is disabled"
+  default_ttl = "86400"
+  max_ttl     = "31536000"
+  min_ttl     = "1"
+  name        = "Managed-CachingOptimizedForUncompressedObjects"
+
+  parameters_in_cache_key_and_forwarded_to_origin {
+    cookies_config {
+      cookie_behavior = "none"
+    }
+
+    enable_accept_encoding_brotli = "false"
+    enable_accept_encoding_gzip   = "false"
+
+    headers_config {
+      header_behavior = "none"
+    }
+
+    query_strings_config {
+      query_string_behavior = "none"
+    }
+  }
+}
+
+resource "aws_cloudfront_cache_policy" "tfer--d365e40d-cd44-48b4-9b1b-c1b82e278e8e" {
+  comment     = "Allow Authorization and Host headers to pass through"
+  default_ttl = "86400"
+  max_ttl     = "31536000"
+  min_ttl     = "1"
+  name        = "SendHeadersToAPIGateway"
+
+  parameters_in_cache_key_and_forwarded_to_origin {
+    cookies_config {
+      cookie_behavior = "none"
+    }
+
+    enable_accept_encoding_brotli = "true"
+    enable_accept_encoding_gzip   = "true"
+
+    headers_config {
+      header_behavior = "whitelist"
+
+      headers {
+        items = ["Authorization"]
+      }
+    }
+
+    query_strings_config {
+      query_string_behavior = "none"
+    }
+  }
+}
diff --git a/terraform/veda-wfs3-shared-mcp/generated/aws/cloudfront/cloudfront_distribution.tf b/terraform/veda-wfs3-shared-mcp/generated/aws/cloudfront/cloudfront_distribution.tf
new file mode 100755
index 0000000..5af90f5
--- /dev/null
+++ b/terraform/veda-wfs3-shared-mcp/generated/aws/cloudfront/cloudfront_distribution.tf
@@ -0,0 +1,1052 @@
+resource "aws_cloudfront_distribution" "tfer--E19SG8OJH9PZ0W" {
+  default_cache_behavior {
+    allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
+    cached_methods  = ["GET", "HEAD"]
+    compress        = "true"
+    default_ttl     = "0"
+
+    forwarded_values {
+      cookies {
+        forward = "all"
+      }
+
+      headers      = ["Authorization", "CloudFront-Is-Desktop-Viewer", "CloudFront-Is-Mobile-Viewer", "CloudFront-Is-Tablet-Viewer", "CloudFront-Viewer-Country"]
+      query_string = "true"
+    }
+
+    lambda_function_association {
+      event_type   = "origin-request"
+      include_body = "true"
+      lambda_arn   = "arn:aws:lambda:us-east-1:853558080719:function:amustlp-0kl1dlr:4"
+    }
+
+    lambda_function_association {
+      event_type   = "origin-response"
+      include_body = "false"
+      lambda_arn   = "arn:aws:lambda:us-east-1:853558080719:function:amustlp-0kl1dlr:4"
+    }
+
+    max_ttl                = "31536000"
+    min_ttl                = "0"
+    smooth_streaming       = "false"
+    target_origin_id       = "amustlp-dybv83e"
+    viewer_protocol_policy = "redirect-to-https"
+  }
+
+  enabled         = "true"
+  http_version    = "http2"
+  is_ipv6_enabled = "true"
+
+  ordered_cache_behavior {
+    allowed_methods = ["GET", "HEAD"]
+    cached_methods  = ["GET", "HEAD"]
+    compress        = "true"
+    default_ttl     = "86400"
+
+    forwarded_values {
+      cookies {
+        forward = "none"
+      }
+
+      query_string = "false"
+    }
+
+    max_ttl                = "31536000"
+    min_ttl                = "0"
+    path_pattern           = "_next/static/*"
+    smooth_streaming       = "false"
+    target_origin_id       = "amustlp-dybv83e"
+    viewer_protocol_policy = "https-only"
+  }
+
+  ordered_cache_behavior {
+    allowed_methods = ["GET", "HEAD"]
+    cached_methods  = ["GET", "HEAD"]
+    compress        = "true"
+    default_ttl     = "86400"
+
+    forwarded_values {
+      cookies {
+        forward = "none"
+      }
+
+      query_string = "false"
+    }
+
+    max_ttl                = "31536000"
+    min_ttl                = "0"
+    path_pattern           = "static/*"
+    smooth_streaming       = "false"
+    target_origin_id       = "amustlp-dybv83e"
+    viewer_protocol_policy = "https-only"
+  }
+
+  ordered_cache_behavior {
+    allowed_methods = ["GET", "HEAD"]
+    cached_methods  = ["GET", "HEAD"]
+    compress        = "true"
+    default_ttl     = "0"
+
+    forwarded_values {
+      cookies {
+        forward = "all"
+      }
+
+      headers      = ["Authorization", "Host"]
+      query_string = "true"
+    }
+
+    lambda_function_association {
+      event_type   = "origin-request"
+      include_body = "true"
+      lambda_arn   = "arn:aws:lambda:us-east-1:853558080719:function:amustlp-0kl1dlr:4"
+    }
+
+    lambda_function_association {
+      event_type   = "origin-response"
+      include_body = "false"
+      lambda_arn   = "arn:aws:lambda:us-east-1:853558080719:function:amustlp-0kl1dlr:4"
+    }
+
+    max_ttl                = "31536000"
+    min_ttl                = "0"
+    path_pattern           = "_next/data/*"
+    smooth_streaming       = "false"
+    target_origin_id       = "amustlp-dybv83e"
+    viewer_protocol_policy = "https-only"
+  }
+
+  origin {
+    connection_attempts = "3"
+    connection_timeout  = "10"
+    domain_name         = "amustlp-dybv83e.s3.us-east-1.amazonaws.com"
+    origin_id           = "amustlp-dybv83e"
+
+    s3_origin_config {
+      origin_access_identity = "origin-access-identity/cloudfront/E19RD5SRD8O6HB"
+    }
+  }
+
+  price_class = "PriceClass_All"
+
+  restrictions {
+    geo_restriction {
+      restriction_type = "none"
+    }
+  }
+
+  retain_on_delete = "false"
+
+  viewer_certificate {
+    cloudfront_default_certificate = "true"
+    minimum_protocol_version       = "TLSv1"
+  }
+}
+
+resource "aws_cloudfront_distribution" "tfer--E1MYAUHEUHR59N" {
+  aliases = ["alex.delta-backend.xyz"]
+  comment = "veda-backend-alex"
+
+  default_cache_behavior {
+    allowed_methods        = ["GET", "HEAD"]
+    cache_policy_id        = "${aws_cloudfront_cache_policy.tfer--4135ea2d-6df8-44a3-9df3-4b5a84be39ad.id}"
+    cached_methods         = ["GET", "HEAD"]
+    compress               = "true"
+    default_ttl            = "0"
+    max_ttl                = "0"
+    min_ttl                = "0"
+    smooth_streaming       = "false"
+    target_origin_id       = "stac-browser"
+    viewer_protocol_policy = "allow-all"
+  }
+
+  enabled         = "true"
+  http_version    = "http2"
+  is_ipv6_enabled = "true"
+
+  ordered_cache_behavior {
+    allowed_methods        = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
+    cache_policy_id        = "${aws_cloudfront_cache_policy.tfer--4135ea2d-6df8-44a3-9df3-4b5a84be39ad.id}"
+    cached_methods         = ["GET", "HEAD"]
+    compress               = "true"
+    default_ttl            = "0"
+    max_ttl                = "0"
+    min_ttl                = "0"
+    path_pattern           = "/api/ingest*"
+    smooth_streaming       = "false"
+    target_origin_id       = "ingest-api"
+    viewer_protocol_policy = "allow-all"
+  }
+
+  ordered_cache_behavior {
+    allowed_methods          = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
+    cache_policy_id          = "${aws_cloudfront_cache_policy.tfer--4135ea2d-6df8-44a3-9df3-4b5a84be39ad.id}"
+    cached_methods           = ["GET", "HEAD"]
+    compress                 = "true"
+    default_ttl              = "0"
+    max_ttl                  = "0"
+    min_ttl                  = "0"
+    origin_request_policy_id = "b689b0a8-53d0-40ab-baf2-68738e2966ac"
+    path_pattern             = "/api/stac*"
+    smooth_streaming         = "false"
+    target_origin_id         = "stac-api"
+    viewer_protocol_policy   = "allow-all"
+  }
+
+  ordered_cache_behavior {
+    allowed_methods          = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
+    cache_policy_id          = "${aws_cloudfront_cache_policy.tfer--4135ea2d-6df8-44a3-9df3-4b5a84be39ad.id}"
+    cached_methods           = ["GET", "HEAD"]
+    compress                 = "true"
+    default_ttl              = "0"
+    max_ttl                  = "0"
+    min_ttl                  = "0"
+    origin_request_policy_id = "b689b0a8-53d0-40ab-baf2-68738e2966ac"
+    path_pattern             = "/api/raster*"
+    smooth_streaming         = "false"
+    target_origin_id         = "raster-api"
+    viewer_protocol_policy   = "allow-all"
+  }
+
+  origin {
+    connection_attempts = "3"
+    connection_timeout  = "10"
+
+    custom_origin_config {
+      http_port                = "80"
+      https_port               = "443"
+      origin_keepalive_timeout = "5"
+      origin_protocol_policy   = "http-only"
+      origin_read_timeout      = "30"
+      origin_ssl_protocols     = ["TLSv1.2"]
+    }
+
+    domain_name = "veda-dev-stac-browser.s3-website-us-west-2.amazonaws.com"
+    origin_id   = "stac-browser"
+  }
+
+  origin {
+    connection_attempts = "3"
+    connection_timeout  = "10"
+
+    custom_origin_config {
+      http_port                = "80"
+      https_port               = "443"
+      origin_keepalive_timeout = "5"
+      origin_protocol_policy   = "https-only"
+      origin_read_timeout      = "30"
+      origin_ssl_protocols     = ["TLSv1.2"]
+    }
+
+    domain_name = "6r8ht9b123.execute-api.us-west-2.amazonaws.com"
+    origin_id   = "ingest-api"
+  }
+
+  origin {
+    connection_attempts = "3"
+    connection_timeout  = "10"
+
+    custom_origin_config {
+      http_port                = "80"
+      https_port               = "443"
+      origin_keepalive_timeout = "5"
+      origin_protocol_policy   = "https-only"
+      origin_read_timeout      = "30"
+      origin_ssl_protocols     = ["TLSv1.2"]
+    }
+
+    domain_name = "czkqaklfbb.execute-api.us-west-2.amazonaws.com"
+    origin_id   = "raster-api"
+  }
+
+  origin {
+    connection_attempts = "3"
+    connection_timeout  = "10"
+
+    custom_origin_config {
+      http_port                = "80"
+      https_port               = "443"
+      origin_keepalive_timeout = "5"
+      origin_protocol_policy   = "https-only"
+      origin_read_timeout      = "30"
+      origin_ssl_protocols     = ["TLSv1.2"]
+    }
+
+    domain_name = "ll8eozrj0b.execute-api.us-west-2.amazonaws.com"
+    origin_id   = "stac-api"
+  }
+
+  price_class = "PriceClass_All"
+
+  restrictions {
+    geo_restriction {
+      restriction_type = "none"
+    }
+  }
+
+  retain_on_delete = "false"
+
+  tags = {
+    Client  = "nasa-impact"
+    Owner   = "ds"
+    Project = "veda-backend"
+    Stack   = "alex"
+  }
+
+  tags_all = {
+    Client  = "nasa-impact"
+    Owner   = "ds"
+    Project = "veda-backend"
+    Stack   = "alex"
+  }
+
+  viewer_certificate {
+    acm_certificate_arn            = "arn:aws:acm:us-east-1:853558080719:certificate/01fc600d-f6b9-4581-b1a8-ac0a68cff7a1"
+    cloudfront_default_certificate = "false"
+    minimum_protocol_version       = "TLSv1.2_2021"
+    ssl_support_method             = "sni-only"
+  }
+}
+
+resource "aws_cloudfront_distribution" "tfer--E1P87SC03QQ2OJ" {
+  default_cache_behavior {
+    allowed_methods        = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
+    cache_policy_id        = "${aws_cloudfront_cache_policy.tfer--4135ea2d-6df8-44a3-9df3-4b5a84be39ad.id}"
+    cached_methods         = ["GET", "HEAD"]
+    compress               = "true"
+    default_ttl            = "0"
+    max_ttl                = "0"
+    min_ttl                = "0"
+    smooth_streaming       = "false"
+    target_origin_id       = "veda-dev-stac-browser.s3-website-us-west-2.amazonaws.com"
+    viewer_protocol_policy = "https-only"
+  }
+
+  enabled         = "true"
+  http_version    = "http2"
+  is_ipv6_enabled = "true"
+
+  ordered_cache_behavior {
+    allowed_methods        = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
+    cache_policy_id        = "${aws_cloudfront_cache_policy.tfer--4135ea2d-6df8-44a3-9df3-4b5a84be39ad.id}"
+    cached_methods         = ["GET", "HEAD"]
+    compress               = "true"
+    default_ttl            = "0"
+    max_ttl                = "0"
+    min_ttl                = "0"
+    path_pattern           = "/api/stac/*"
+    smooth_streaming       = "false"
+    target_origin_id       = "5311cl1w5l.execute-api.us-west-2.amazonaws.com"
+    viewer_protocol_policy = "https-only"
+  }
+
+  origin {
+    connection_attempts = "3"
+    connection_timeout  = "10"
+
+    custom_origin_config {
+      http_port                = "80"
+      https_port               = "443"
+      origin_keepalive_timeout = "5"
+      origin_protocol_policy   = "http-only"
+      origin_read_timeout      = "30"
+      origin_ssl_protocols     = ["TLSv1.2"]
+    }
+
+    domain_name = "veda-dev-stac-browser.s3-website-us-west-2.amazonaws.com"
+    origin_id   = "veda-dev-stac-browser.s3-website-us-west-2.amazonaws.com"
+  }
+
+  origin {
+    connection_attempts = "3"
+    connection_timeout  = "10"
+
+    custom_origin_config {
+      http_port                = "80"
+      https_port               = "443"
+      origin_keepalive_timeout = "5"
+      origin_protocol_policy   = "https-only"
+      origin_read_timeout      = "30"
+      origin_ssl_protocols     = ["TLSv1.2"]
+    }
+
+    domain_name = "5311cl1w5l.execute-api.us-west-2.amazonaws.com"
+    origin_id   = "5311cl1w5l.execute-api.us-west-2.amazonaws.com"
+  }
+
+  price_class = "PriceClass_All"
+
+  restrictions {
+    geo_restriction {
+      restriction_type = "none"
+    }
+  }
+
+  retain_on_delete = "false"
+
+  viewer_certificate {
+    cloudfront_default_certificate = "true"
+    minimum_protocol_version       = "TLSv1"
+  }
+}
+
+resource "aws_cloudfront_distribution" "tfer--E1T7VRMWT58GVT" {
+  aliases = ["dev.delta-backend.com"]
+  comment = "veda-backend-uah-dev"
+
+  default_cache_behavior {
+    allowed_methods        = ["GET", "HEAD"]
+    cache_policy_id        = "${aws_cloudfront_cache_policy.tfer--4135ea2d-6df8-44a3-9df3-4b5a84be39ad.id}"
+    cached_methods         = ["GET", "HEAD"]
+    compress               = "true"
+    default_ttl            = "0"
+    max_ttl                = "0"
+    min_ttl                = "0"
+    smooth_streaming       = "false"
+    target_origin_id       = "stac-browser"
+    viewer_protocol_policy = "allow-all"
+  }
+
+  enabled         = "true"
+  http_version    = "http2"
+  is_ipv6_enabled = "true"
+
+  ordered_cache_behavior {
+    allowed_methods          = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
+    cache_policy_id          = "${aws_cloudfront_cache_policy.tfer--4135ea2d-6df8-44a3-9df3-4b5a84be39ad.id}"
+    cached_methods           = ["GET", "HEAD"]
+    compress                 = "true"
+    default_ttl              = "0"
+    max_ttl                  = "0"
+    min_ttl                  = "0"
+    origin_request_policy_id = "b689b0a8-53d0-40ab-baf2-68738e2966ac"
+    path_pattern             = "/api/stac*"
+    smooth_streaming         = "false"
+    target_origin_id         = "stac-api"
+    viewer_protocol_policy   = "allow-all"
+  }
+
+  ordered_cache_behavior {
+    allowed_methods        = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
+    cache_policy_id        = "${aws_cloudfront_cache_policy.tfer--4135ea2d-6df8-44a3-9df3-4b5a84be39ad.id}"
+    cached_methods         = ["GET", "HEAD"]
+    compress               = "true"
+    default_ttl            = "0"
+    max_ttl                = "0"
+    min_ttl                = "0"
+    path_pattern           = "/api/ingest*"
+    smooth_streaming       = "false"
+    target_origin_id       = "ingest-api"
+    viewer_protocol_policy = "allow-all"
+  }
+
+  ordered_cache_behavior {
+    allowed_methods          = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
+    cache_policy_id          = "${aws_cloudfront_cache_policy.tfer--4135ea2d-6df8-44a3-9df3-4b5a84be39ad.id}"
+    cached_methods           = ["GET", "HEAD"]
+    compress                 = "true"
+    default_ttl              = "0"
+    max_ttl                  = "0"
+    min_ttl                  = "0"
+    origin_request_policy_id = "b689b0a8-53d0-40ab-baf2-68738e2966ac"
+    path_pattern             = "/api/raster*"
+    smooth_streaming         = "false"
+    target_origin_id         = "raster-api"
+    viewer_protocol_policy   = "allow-all"
+  }
+
+  origin {
+    connection_attempts = "3"
+    connection_timeout  = "10"
+
+    custom_origin_config {
+      http_port                = "80"
+      https_port               = "443"
+      origin_keepalive_timeout = "5"
+      origin_protocol_policy   = "http-only"
+      origin_read_timeout      = "30"
+      origin_ssl_protocols     = ["TLSv1.2"]
+    }
+
+    domain_name = "veda-dev-stac-browser.s3-website-us-west-2.amazonaws.com"
+    origin_id   = "stac-browser"
+  }
+
+  origin {
+    connection_attempts = "3"
+    connection_timeout  = "10"
+
+    custom_origin_config {
+      http_port                = "80"
+      https_port               = "443"
+      origin_keepalive_timeout = "5"
+      origin_protocol_policy   = "https-only"
+      origin_read_timeout      = "30"
+      origin_ssl_protocols     = ["TLSv1.2"]
+    }
+
+    domain_name = "6r8ht9b123.execute-api.us-west-2.amazonaws.com"
+    origin_id   = "ingest-api"
+  }
+
+  origin {
+    connection_attempts = "3"
+    connection_timeout  = "10"
+
+    custom_origin_config {
+      http_port                = "80"
+      https_port               = "443"
+      origin_keepalive_timeout = "5"
+      origin_protocol_policy   = "https-only"
+      origin_read_timeout      = "30"
+      origin_ssl_protocols     = ["TLSv1.2"]
+    }
+
+    domain_name = "xnv4kvaonc.execute-api.us-west-2.amazonaws.com"
+    origin_id   = "stac-api"
+  }
+
+  origin {
+    connection_attempts = "3"
+    connection_timeout  = "10"
+
+    custom_origin_config {
+      http_port                = "80"
+      https_port               = "443"
+      origin_keepalive_timeout = "5"
+      origin_protocol_policy   = "https-only"
+      origin_read_timeout      = "30"
+      origin_ssl_protocols     = ["TLSv1.2"]
+    }
+
+    domain_name = "z8ucwjq9la.execute-api.us-west-2.amazonaws.com"
+    origin_id   = "raster-api"
+  }
+
+  price_class = "PriceClass_All"
+
+  restrictions {
+    geo_restriction {
+      restriction_type = "none"
+    }
+  }
+
+  retain_on_delete = "false"
+
+  tags = {
+    Client  = "nasa-impact"
+    Owner   = "ds"
+    Project = "veda-backend-uah"
+    Stack   = "dev"
+  }
+
+  tags_all = {
+    Client  = "nasa-impact"
+    Owner   = "ds"
+    Project = "veda-backend-uah"
+    Stack   = "dev"
+  }
+
+  viewer_certificate {
+    acm_certificate_arn            = "arn:aws:acm:us-east-1:853558080719:certificate/f31853bf-9741-407c-8bdf-4de0f6fff983"
+    cloudfront_default_certificate = "false"
+    minimum_protocol_version       = "TLSv1.2_2021"
+    ssl_support_method             = "sni-only"
+  }
+}
+
+resource "aws_cloudfront_distribution" "tfer--E38R6RL93G7OLX" {
+  aliases = ["inject-links.delta-backend.com"]
+  comment = "veda-backend-uah-inject-links"
+
+  default_cache_behavior {
+    allowed_methods        = ["GET", "HEAD"]
+    cache_policy_id        = "${aws_cloudfront_cache_policy.tfer--4135ea2d-6df8-44a3-9df3-4b5a84be39ad.id}"
+    cached_methods         = ["GET", "HEAD"]
+    compress               = "true"
+    default_ttl            = "0"
+    max_ttl                = "0"
+    min_ttl                = "0"
+    smooth_streaming       = "false"
+    target_origin_id       = "stac-browser"
+    viewer_protocol_policy = "allow-all"
+  }
+
+  enabled         = "true"
+  http_version    = "http2"
+  is_ipv6_enabled = "true"
+
+  ordered_cache_behavior {
+    allowed_methods        = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
+    cache_policy_id        = "${aws_cloudfront_cache_policy.tfer--4135ea2d-6df8-44a3-9df3-4b5a84be39ad.id}"
+    cached_methods         = ["GET", "HEAD"]
+    compress               = "true"
+    default_ttl            = "0"
+    max_ttl                = "0"
+    min_ttl                = "0"
+    path_pattern           = "/api/ingest*"
+    smooth_streaming       = "false"
+    target_origin_id       = "ingest-api"
+    viewer_protocol_policy = "allow-all"
+  }
+
+  ordered_cache_behavior {
+    allowed_methods          = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
+    cache_policy_id          = "${aws_cloudfront_cache_policy.tfer--4135ea2d-6df8-44a3-9df3-4b5a84be39ad.id}"
+    cached_methods           = ["GET", "HEAD"]
+    compress                 = "true"
+    default_ttl              = "0"
+    max_ttl                  = "0"
+    min_ttl                  = "0"
+    origin_request_policy_id = "b689b0a8-53d0-40ab-baf2-68738e2966ac"
+    path_pattern             = "/api/raster*"
+    smooth_streaming         = "false"
+    target_origin_id         = "raster-api"
+    viewer_protocol_policy   = "allow-all"
+  }
+
+  ordered_cache_behavior {
+    allowed_methods          = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
+    cache_policy_id          = "${aws_cloudfront_cache_policy.tfer--4135ea2d-6df8-44a3-9df3-4b5a84be39ad.id}"
+    cached_methods           = ["GET", "HEAD"]
+    compress                 = "true"
+    default_ttl              = "0"
+    max_ttl                  = "0"
+    min_ttl                  = "0"
+    origin_request_policy_id = "b689b0a8-53d0-40ab-baf2-68738e2966ac"
+    path_pattern             = "/api/stac*"
+    smooth_streaming         = "false"
+    target_origin_id         = "stac-api"
+    viewer_protocol_policy   = "allow-all"
+  }
+
+  origin {
+    connection_attempts = "3"
+    connection_timeout  = "10"
+
+    custom_origin_config {
+      http_port                = "80"
+      https_port               = "443"
+      origin_keepalive_timeout = "5"
+      origin_protocol_policy   = "http-only"
+      origin_read_timeout      = "30"
+      origin_ssl_protocols     = ["TLSv1.2"]
+    }
+
+    domain_name = "veda-dev-stac-browser.s3-website-us-west-2.amazonaws.com"
+    origin_id   = "stac-browser"
+  }
+
+  origin {
+    connection_attempts = "3"
+    connection_timeout  = "10"
+
+    custom_origin_config {
+      http_port                = "80"
+      https_port               = "443"
+      origin_keepalive_timeout = "5"
+      origin_protocol_policy   = "https-only"
+      origin_read_timeout      = "30"
+      origin_ssl_protocols     = ["TLSv1.2"]
+    }
+
+    domain_name = "6r8ht9b123.execute-api.us-west-2.amazonaws.com"
+    origin_id   = "ingest-api"
+  }
+
+  origin {
+    connection_attempts = "3"
+    connection_timeout  = "10"
+
+    custom_origin_config {
+      http_port                = "80"
+      https_port               = "443"
+      origin_keepalive_timeout = "5"
+      origin_protocol_policy   = "https-only"
+      origin_read_timeout      = "30"
+      origin_ssl_protocols     = ["TLSv1.2"]
+    }
+
+    domain_name = "p2f5bmzwod.execute-api.us-west-2.amazonaws.com"
+    origin_id   = "raster-api"
+  }
+
+  origin {
+    connection_attempts = "3"
+    connection_timeout  = "10"
+
+    custom_origin_config {
+      http_port                = "80"
+      https_port               = "443"
+      origin_keepalive_timeout = "5"
+      origin_protocol_policy   = "https-only"
+      origin_read_timeout      = "30"
+      origin_ssl_protocols     = ["TLSv1.2"]
+    }
+
+    domain_name = "zfsytewkxg.execute-api.us-west-2.amazonaws.com"
+    origin_id   = "stac-api"
+  }
+
+  price_class = "PriceClass_All"
+
+  restrictions {
+    geo_restriction {
+      restriction_type = "none"
+    }
+  }
+
+  retain_on_delete = "false"
+
+  tags = {
+    Client  = "nasa-impact"
+    Owner   = "ds"
+    Project = "veda-backend-uah"
+    Stack   = "inject-links"
+  }
+
+  tags_all = {
+    Client  = "nasa-impact"
+    Owner   = "ds"
+    Project = "veda-backend-uah"
+    Stack   = "inject-links"
+  }
+
+  viewer_certificate {
+    acm_certificate_arn            = "arn:aws:acm:us-east-1:853558080719:certificate/f31853bf-9741-407c-8bdf-4de0f6fff983"
+    cloudfront_default_certificate = "false"
+    minimum_protocol_version       = "TLSv1.2_2021"
+    ssl_support_method             = "sni-only"
+  }
+}
+
+resource "aws_cloudfront_distribution" "tfer--E3DV5Z6DITNR4H" {
+  default_cache_behavior {
+    allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
+    cached_methods  = ["GET", "HEAD"]
+    compress        = "true"
+    default_ttl     = "0"
+
+    forwarded_values {
+      cookies {
+        forward = "all"
+      }
+
+      headers      = ["Authorization", "CloudFront-Is-Desktop-Viewer", "CloudFront-Is-Mobile-Viewer", "CloudFront-Is-Tablet-Viewer", "CloudFront-Viewer-Country"]
+      query_string = "true"
+    }
+
+    lambda_function_association {
+      event_type   = "origin-request"
+      include_body = "true"
+      lambda_arn   = "arn:aws:lambda:us-east-1:853558080719:function:jrxzg5b-o7wkpno:10"
+    }
+
+    lambda_function_association {
+      event_type   = "origin-response"
+      include_body = "false"
+      lambda_arn   = "arn:aws:lambda:us-east-1:853558080719:function:jrxzg5b-o7wkpno:10"
+    }
+
+    max_ttl                = "31536000"
+    min_ttl                = "0"
+    smooth_streaming       = "false"
+    target_origin_id       = "jrxzg5b-nz7bsv9"
+    viewer_protocol_policy = "redirect-to-https"
+  }
+
+  enabled         = "true"
+  http_version    = "http2"
+  is_ipv6_enabled = "true"
+
+  ordered_cache_behavior {
+    allowed_methods = ["GET", "HEAD"]
+    cached_methods  = ["GET", "HEAD"]
+    compress        = "true"
+    default_ttl     = "86400"
+
+    forwarded_values {
+      cookies {
+        forward = "none"
+      }
+
+      query_string = "false"
+    }
+
+    max_ttl                = "31536000"
+    min_ttl                = "0"
+    path_pattern           = "_next/static/*"
+    smooth_streaming       = "false"
+    target_origin_id       = "jrxzg5b-nz7bsv9"
+    viewer_protocol_policy = "https-only"
+  }
+
+  ordered_cache_behavior {
+    allowed_methods = ["GET", "HEAD"]
+    cached_methods  = ["GET", "HEAD"]
+    compress        = "true"
+    default_ttl     = "0"
+
+    forwarded_values {
+      cookies {
+        forward = "all"
+      }
+
+      headers      = ["Authorization", "Host"]
+      query_string = "true"
+    }
+
+    lambda_function_association {
+      event_type   = "origin-request"
+      include_body = "true"
+      lambda_arn   = "arn:aws:lambda:us-east-1:853558080719:function:jrxzg5b-o7wkpno:10"
+    }
+
+    lambda_function_association {
+      event_type   = "origin-response"
+      include_body = "false"
+      lambda_arn   = "arn:aws:lambda:us-east-1:853558080719:function:jrxzg5b-o7wkpno:10"
+    }
+
+    max_ttl                = "31536000"
+    min_ttl                = "0"
+    path_pattern           = "_next/data/*"
+    smooth_streaming       = "false"
+    target_origin_id       = "jrxzg5b-nz7bsv9"
+    viewer_protocol_policy = "https-only"
+  }
+
+  ordered_cache_behavior {
+    allowed_methods = ["GET", "HEAD"]
+    cached_methods  = ["GET", "HEAD"]
+    compress        = "true"
+    default_ttl     = "86400"
+
+    forwarded_values {
+      cookies {
+        forward = "none"
+      }
+
+      query_string = "false"
+    }
+
+    max_ttl                = "31536000"
+    min_ttl                = "0"
+    path_pattern           = "static/*"
+    smooth_streaming       = "false"
+    target_origin_id       = "jrxzg5b-nz7bsv9"
+    viewer_protocol_policy = "https-only"
+  }
+
+  origin {
+    connection_attempts = "3"
+    connection_timeout  = "10"
+    domain_name         = "jrxzg5b-nz7bsv9.s3.us-east-1.amazonaws.com"
+    origin_id           = "jrxzg5b-nz7bsv9"
+
+    s3_origin_config {
+      origin_access_identity = "origin-access-identity/cloudfront/E19RD5SRD8O6HB"
+    }
+  }
+
+  price_class = "PriceClass_All"
+
+  restrictions {
+    geo_restriction {
+      restriction_type = "none"
+    }
+  }
+
+  retain_on_delete = "false"
+
+  viewer_certificate {
+    cloudfront_default_certificate = "true"
+    minimum_protocol_version       = "TLSv1"
+  }
+}
+
+resource "aws_cloudfront_distribution" "tfer--E3MLWMRM5IEOSL" {
+  default_cache_behavior {
+    allowed_methods = ["GET", "HEAD", "OPTIONS"]
+    cached_methods  = ["GET", "HEAD"]
+    compress        = "true"
+    default_ttl     = "0"
+
+    forwarded_values {
+      cookies {
+        forward = "all"
+      }
+
+      headers      = ["User-Agent"]
+      query_string = "true"
+    }
+
+    max_ttl                = "0"
+    min_ttl                = "0"
+    smooth_streaming       = "false"
+    target_origin_id       = "amarouane-impact-mwaa-853558080719.s3.us-west-2.amazonaws.com"
+    viewer_protocol_policy = "redirect-to-https"
+  }
+
+  enabled         = "true"
+  http_version    = "http2"
+  is_ipv6_enabled = "true"
+
+  origin {
+    connection_attempts = "3"
+    connection_timeout  = "10"
+
+    custom_header {
+      name  = "Access-Control-Allow-Origin"
+      value = "*"
+    }
+
+    custom_header {
+      name  = "Referer"
+      value = "https://d31g35w351v2qf.cloudfront.net/"
+    }
+
+    domain_name = "amarouane-impact-mwaa-853558080719.s3.us-west-2.amazonaws.com"
+    origin_id   = "amarouane-impact-mwaa-853558080719.s3.us-west-2.amazonaws.com"
+
+    s3_origin_config {
+      origin_access_identity = "origin-access-identity/cloudfront/E26EXZJ2AU1N93"
+    }
+  }
+
+  price_class = "PriceClass_All"
+
+  restrictions {
+    geo_restriction {
+      restriction_type = "none"
+    }
+  }
+
+  retain_on_delete = "false"
+
+  viewer_certificate {
+    cloudfront_default_certificate = "true"
+    minimum_protocol_version       = "TLSv1"
+  }
+}
+
+resource "aws_cloudfront_distribution" "tfer--EBU2BO7YIDCW1" {
+  custom_error_response {
+    error_caching_min_ttl = "10"
+    error_code            = "403"
+    response_code         = "200"
+    response_page_path    = "/index.html"
+  }
+
+  custom_error_response {
+    error_caching_min_ttl = "10"
+    error_code            = "404"
+    response_code         = "200"
+    response_page_path    = "/index.html"
+  }
+
+  default_cache_behavior {
+    allowed_methods        = ["GET", "HEAD"]
+    cache_policy_id        = "${aws_cloudfront_cache_policy.tfer--4135ea2d-6df8-44a3-9df3-4b5a84be39ad.id}"
+    cached_methods         = ["GET", "HEAD"]
+    compress               = "true"
+    default_ttl            = "0"
+    max_ttl                = "0"
+    min_ttl                = "0"
+    smooth_streaming       = "false"
+    target_origin_id       = "earthdata-dashboard-delt-earthdatadashboarddeltad-1toqhuzokn1lp.s3.us-east-1.amazonaws.com"
+    viewer_protocol_policy = "allow-all"
+  }
+
+  enabled         = "true"
+  http_version    = "http2"
+  is_ipv6_enabled = "true"
+
+  origin {
+    connection_attempts = "3"
+    connection_timeout  = "10"
+
+    custom_origin_config {
+      http_port                = "80"
+      https_port               = "443"
+      origin_keepalive_timeout = "5"
+      origin_protocol_policy   = "http-only"
+      origin_read_timeout      = "30"
+      origin_ssl_protocols     = ["TLSv1", "TLSv1.1", "TLSv1.2"]
+    }
+
+    domain_name = "earthdata-dashboard-delt-earthdatadashboarddeltad-1toqhuzokn1lp.s3-website-us-east-1.amazonaws.com"
+    origin_id   = "earthdata-dashboard-delt-earthdatadashboarddeltad-1toqhuzokn1lp.s3.us-east-1.amazonaws.com"
+  }
+
+  price_class = "PriceClass_All"
+
+  restrictions {
+    geo_restriction {
+      restriction_type = "none"
+    }
+  }
+
+  retain_on_delete = "false"
+
+  viewer_certificate {
+    cloudfront_default_certificate = "true"
+    minimum_protocol_version       = "TLSv1"
+  }
+}
+
+resource "aws_cloudfront_distribution" "tfer--EIGP2GHD21T0D" {
+  default_cache_behavior {
+    allowed_methods        = ["GET", "HEAD"]
+    cache_policy_id        = "${aws_cloudfront_cache_policy.tfer--658327ea-f89d-4fab-a63d-7e88639e58f6.id}"
+    cached_methods         = ["GET", "HEAD"]
+    compress               = "true"
+    default_ttl            = "0"
+    max_ttl                = "0"
+    min_ttl                = "0"
+    smooth_streaming       = "false"
+    target_origin_id       = "amarouane-data-browse-test.s3-website-us-west-2.amazonaws.com"
+    viewer_protocol_policy = "allow-all"
+  }
+
+  enabled         = "true"
+  http_version    = "http2"
+  is_ipv6_enabled = "true"
+
+  origin {
+    connection_attempts = "3"
+    connection_timeout  = "10"
+
+    custom_header {
+      name  = "Referer"
+      value = "YW1hcm91YW5lCg"
+    }
+
+    custom_origin_config {
+      http_port                = "80"
+      https_port               = "443"
+      origin_keepalive_timeout = "5"
+      origin_protocol_policy   = "http-only"
+      origin_read_timeout      = "30"
+      origin_ssl_protocols     = ["TLSv1.2"]
+    }
+
+    domain_name = "amarouane-data-browse-test.s3-website-us-west-2.amazonaws.com"
+    origin_id   = "amarouane-data-browse-test.s3-website-us-west-2.amazonaws.com"
+  }
+
+  price_class = "PriceClass_All"
+
+  restrictions {
+    geo_restriction {
+      restriction_type = "none"
+    }
+  }
+
+  retain_on_delete = "false"
+
+  viewer_certificate {
+    cloudfront_default_certificate = "true"
+    minimum_protocol_version       = "TLSv1"
+  }
+}
diff --git a/terraform/veda-wfs3-shared-mcp/generated/aws/cloudfront/outputs.tf b/terraform/veda-wfs3-shared-mcp/generated/aws/cloudfront/outputs.tf
new file mode 100755
index 0000000..c6a1a22
--- /dev/null
+++ b/terraform/veda-wfs3-shared-mcp/generated/aws/cloudfront/outputs.tf
@@ -0,0 +1,63 @@
+output "aws_cloudfront_cache_policy_tfer--08627262-05a9-4f76-9ded-b50ca2e3a84f_id" {
+  value = "${aws_cloudfront_cache_policy.tfer--08627262-05a9-4f76-9ded-b50ca2e3a84f.id}"
+}
+
+output "aws_cloudfront_cache_policy_tfer--28a8e074-fa92-49d8-b10d-b4f912db6176_id" {
+  value = "${aws_cloudfront_cache_policy.tfer--28a8e074-fa92-49d8-b10d-b4f912db6176.id}"
+}
+
+output "aws_cloudfront_cache_policy_tfer--2e54312d-136d-493c-8eb9-b001f22f67d2_id" {
+  value = "${aws_cloudfront_cache_policy.tfer--2e54312d-136d-493c-8eb9-b001f22f67d2.id}"
+}
+
+output "aws_cloudfront_cache_policy_tfer--4135ea2d-6df8-44a3-9df3-4b5a84be39ad_id" {
+  value = "${aws_cloudfront_cache_policy.tfer--4135ea2d-6df8-44a3-9df3-4b5a84be39ad.id}"
+}
+
+output "aws_cloudfront_cache_policy_tfer--658327ea-f89d-4fab-a63d-7e88639e58f6_id" {
+  value = "${aws_cloudfront_cache_policy.tfer--658327ea-f89d-4fab-a63d-7e88639e58f6.id}"
+}
+
+output "aws_cloudfront_cache_policy_tfer--b2884449-e4de-46a7-ac36-70bc7f1ddd6d_id" {
+  value = "${aws_cloudfront_cache_policy.tfer--b2884449-e4de-46a7-ac36-70bc7f1ddd6d.id}"
+}
+
+output "aws_cloudfront_cache_policy_tfer--d365e40d-cd44-48b4-9b1b-c1b82e278e8e_id" {
+  value = "${aws_cloudfront_cache_policy.tfer--d365e40d-cd44-48b4-9b1b-c1b82e278e8e.id}"
+}
+
+output "aws_cloudfront_distribution_tfer--E19SG8OJH9PZ0W_id" {
+  value = "${aws_cloudfront_distribution.tfer--E19SG8OJH9PZ0W.id}"
+}
+
+output "aws_cloudfront_distribution_tfer--E1MYAUHEUHR59N_id" {
+  value = "${aws_cloudfront_distribution.tfer--E1MYAUHEUHR59N.id}"
+}
+
+output "aws_cloudfront_distribution_tfer--E1P87SC03QQ2OJ_id" {
+  value = "${aws_cloudfront_distribution.tfer--E1P87SC03QQ2OJ.id}"
+}
+
+output "aws_cloudfront_distribution_tfer--E1T7VRMWT58GVT_id" {
+  value = "${aws_cloudfront_distribution.tfer--E1T7VRMWT58GVT.id}"
+}
+
+output "aws_cloudfront_distribution_tfer--E38R6RL93G7OLX_id" {
+  value = "${aws_cloudfront_distribution.tfer--E38R6RL93G7OLX.id}"
+}
+
+output "aws_cloudfront_distribution_tfer--E3DV5Z6DITNR4H_id" {
+  value = "${aws_cloudfront_distribution.tfer--E3DV5Z6DITNR4H.id}"
+}
+
+output "aws_cloudfront_distribution_tfer--E3MLWMRM5IEOSL_id" {
+  value = "${aws_cloudfront_distribution.tfer--E3MLWMRM5IEOSL.id}"
+}
+
+output "aws_cloudfront_distribution_tfer--EBU2BO7YIDCW1_id" {
+  value = "${aws_cloudfront_distribution.tfer--EBU2BO7YIDCW1.id}"
+}
+
+output "aws_cloudfront_distribution_tfer--EIGP2GHD21T0D_id" {
+  value = "${aws_cloudfront_distribution.tfer--EIGP2GHD21T0D.id}"
+}
diff --git a/terraform/veda-wfs3-shared-mcp/generated/aws/cloudfront/provider.tf b/terraform/veda-wfs3-shared-mcp/generated/aws/cloudfront/provider.tf
new file mode 100755
index 0000000..1459edd
--- /dev/null
+++ b/terraform/veda-wfs3-shared-mcp/generated/aws/cloudfront/provider.tf
@@ -0,0 +1,11 @@
+provider "aws" {
+  region = "us-east-1"
+}
+
+terraform {
+	required_providers {
+		aws = {
+	    version = "~> 4.67.0"
+		}
+  }
+}
diff --git a/terraform/veda-wfs3-shared-mcp/github_deploy_user.tf b/terraform/veda-wfs3-shared-mcp/github_deploy_user.tf
new file mode 100644
index 0000000..d406cfc
--- /dev/null
+++ b/terraform/veda-wfs3-shared-mcp/github_deploy_user.tf
@@ -0,0 +1,32 @@
+resource "aws_iam_user" "deploy_user" {
+  name = "veda-wfs3-${var.env}-deploy-user"
+  path = "/"
+  tags = var.tags
+}
+
+// NOTE: we need to have extra policies added to our
+// deploy user for Github AWS Actions to work
+resource "aws_iam_user_policy" "deploy" {
+  name   = "${var.registry_name}_deploy_extended"
+  user   = aws_iam_user.deploy_user.name
+  policy = data.aws_iam_policy_document.extended_deploy.json
+}
+
+data "aws_iam_policy_document" "extended_deploy" {
+  statement {
+    actions = [
+      "iam:PassRole",
+      "ecr:InitiateLayerUpload",
+      "ecs:RegisterTaskDefinition",
+      "ecs:DescribeServices",
+      "ecs:UpdateService",
+    ]
+
+    resources = [
+      aws_ecr_repository.service.arn,
+      module.ecs_cluster.service_cluster_arn,
+      module.ecs_cluster.service_arn,
+      module.ecs_cluster.ecs_execution_role_arn,
+    ]
+  }
+}
\ No newline at end of file
diff --git a/terraform/veda-wfs3-shared-mcp/init.tf b/terraform/veda-wfs3-shared-mcp/init.tf
new file mode 100644
index 0000000..e2230f6
--- /dev/null
+++ b/terraform/veda-wfs3-shared-mcp/init.tf
@@ -0,0 +1,24 @@
+provider "aws" {
+  alias  = "west1"
+  region = "us-west-1"
+}
+
+provider "aws" {
+  alias  = "west2"
+  region = "us-west-2"
+}
+
+terraform {
+  required_version = "1.3.9"
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 4.0"
+    }
+  }
+  backend "s3" {
+    bucket         = "veda-wfs3-shared-mcp-prod-tf-state-bucket-v1"
+    key            = "root"
+    region         = "us-west-2"
+  }
+}
diff --git a/terraform/veda-wfs3-shared-mcp/load_balancer_west_2.tf b/terraform/veda-wfs3-shared-mcp/load_balancer_west_2.tf
new file mode 100644
index 0000000..6e0636d
--- /dev/null
+++ b/terraform/veda-wfs3-shared-mcp/load_balancer_west_2.tf
@@ -0,0 +1,127 @@
+
+/* security group for ALB */
+resource "aws_security_group" "web_inbound_sg" {
+  name        = "tf-${var.project_name}-${var.env}-web-inbound-sg"
+  description = "Allow HTTP from Anywhere into ALB"
+  vpc_id      = "${data.aws_vpc.vpc.id}"
+
+  ingress {
+    from_port   = 80
+    to_port     = 80
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  ingress {
+    from_port   = 8
+    to_port     = 0
+    protocol    = "icmp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = {
+    Name = "tf-${var.project_name}-${var.env}-web-inbound-sg"
+  }
+}
+
+resource "aws_security_group" "https_web_inbound_sg" {
+  name        = "tf-${var.project_name}-${var.env}-https-web-inbound-sg"
+  description = "Allow HTTPS from Anywhere into ALB"
+  vpc_id      = "${data.aws_vpc.vpc.id}"
+
+  ingress {
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  ingress {
+    from_port   = 8
+    to_port     = 8
+    protocol    = "icmp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = {
+    Name = "tf-${var.project_name}-${var.env}-https-web-inbound-sg"
+  }
+}
+
+resource "aws_alb" "alb_ecs" {
+  name            = "tf-${var.project_name}-${var.env}-alb"
+  subnets         = data.aws_subnets.public_subnet_ids.ids
+  security_groups = concat(["${data.aws_security_group.default.id}"], [aws_security_group.web_inbound_sg.id, aws_security_group.https_web_inbound_sg.id])
+
+  tags = merge({
+    Name        = "tf-${var.project_name}-alb"
+  }, var.tags)
+}
+
+resource "aws_alb_target_group" "alb_target_group" {
+  name                 = "tf-${var.project_name}-${var.env}-tgp"
+  port                 = var.service_port
+  protocol             = "HTTP"
+  vpc_id               = "${data.aws_vpc.vpc.id}"
+  target_type          = "ip"
+  deregistration_delay = 60
+
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  health_check {
+    interval            = 60
+    path                = "/healthz"
+    port                = var.service_port
+    protocol            = "HTTP"
+    matcher             = "200"
+    timeout             = 5
+    healthy_threshold   = 2
+    unhealthy_threshold = 4
+  }
+
+  depends_on = [
+    aws_alb.alb_ecs
+  ]
+}
+
+resource "aws_alb_listener" "alb_listener_ecs" {
+  load_balancer_arn = aws_alb.alb_ecs.arn
+  port              = 80
+  protocol          = var.alb_protocol
+  depends_on        = [aws_alb_target_group.alb_target_group]
+
+  default_action {
+    target_group_arn = aws_alb_target_group.alb_target_group.arn
+    type             = "forward"
+  }
+}
+
+#resource "aws_alb_listener" "alb_listener_ecs" {
+#  load_balancer_arn = aws_alb.alb_ecs.arn
+#  port              = 443
+#  protocol          = var.alb_protocol
+#  ssl_policy        = "ELBSecurityPolicy-2016-08"
+#  certificate_arn   = aws_acm_certificate.cert.arn
+#  depends_on        = [aws_alb_target_group.alb_target_group]
+#
+#  default_action {
+#    target_group_arn = aws_alb_target_group.alb_target_group.arn
+#    type             = "forward"
+#  }
+#}
\ No newline at end of file
diff --git a/terraform/veda-wfs3-shared-mcp/outputs.tf b/terraform/veda-wfs3-shared-mcp/outputs.tf
new file mode 100644
index 0000000..36f9396
--- /dev/null
+++ b/terraform/veda-wfs3-shared-mcp/outputs.tf
@@ -0,0 +1,30 @@
+output "rds_hostname" {
+  description = "RDS instance hostname"
+  value       = aws_db_instance.db.address
+}
+
+output "rds_port" {
+  description = "RDS instance port"
+  value       = aws_db_instance.db.port
+}
+
+output "rds_username" {
+  description = "RDS instance root username"
+  value       = aws_db_instance.db.username
+}
+
+output "protocol_on_aws_alb_listener" {
+  description = "HTTP/HTTPS protocol on the ALB Listener"
+  value       = aws_alb_listener.alb_listener_ecs.protocol
+}
+
+output "s3_event_bridge_lambda_arn" {
+  value = "${aws_lambda_function.lambda.arn}:${aws_lambda_function.lambda.version}"
+}
+
+output "aws_private_subnet_ids" {
+  value = "${data.aws_subnets.private_subnet_ids.ids}"
+}
+output "aws_public_subnet_ids" {
+  value = "${data.aws_subnets.public_subnet_ids.ids}"
+}
diff --git a/terraform/veda-wfs3-shared-mcp/rds.tf b/terraform/veda-wfs3-shared-mcp/rds.tf
new file mode 100644
index 0000000..9a0491c
--- /dev/null
+++ b/terraform/veda-wfs3-shared-mcp/rds.tf
@@ -0,0 +1,70 @@
+resource "aws_db_subnet_group" "db" {
+  name       = "tf-${var.project_name}-${var.env}-subnet-group"
+  subnet_ids = data.aws_subnets.private_subnet_ids.ids
+  tags = {
+    Name = "tf-${var.project_name}-subnet-group"
+  }
+}
+
+resource "aws_db_parameter_group" "default" {
+  name   = "tf-${var.project_name}-${var.env}-postgres14-param-group"
+  family = "postgres14"
+
+  parameter {
+    name  = "work_mem"
+    # NOTE: I had `work_mem` set to ~100MB and `max_connections` around 75 and TileJSON completely failed
+    # 16MB
+    value = var.env == "staging" ? "16384" : "8192"
+  }
+
+  parameter {
+    name  = "max_connections"
+    value = "475"
+    apply_method = "pending-reboot"
+  }
+
+#  NOTE: here to show what shared_buffers are but doesn't really make sense why it won't provision with these
+#  parameter {
+#    name  = "shared_buffers"
+#    value = var.env == "staging" ? "8064856" : "4032428"
+#    apply_method = "pending-reboot"
+#  }
+
+  parameter {
+    name  = "seq_page_cost"
+    value = "1"
+  }
+
+  parameter {
+    name  = "random_page_cost"
+    value = "1.2"
+  }
+}
+
+resource "random_password" "master_password" {
+  length  = 16
+  special = false
+}
+
+resource "aws_db_instance" "db" {
+  db_name                  = "veda"
+  identifier               = "${var.project_name}-${var.env}"
+  engine                   = "postgres"
+  engine_version           = "14.7"
+  // https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_CreateDBInstance.html
+  allocated_storage        = 100
+  max_allocated_storage    = 500
+  storage_type             = "gp2"
+  instance_class           = var.env == "staging" ? "db.r5.xlarge" : "db.r5.large"
+  db_subnet_group_name     = aws_db_subnet_group.db.name
+  vpc_security_group_ids   = ["${data.aws_security_group.default.id}"]
+  skip_final_snapshot      = true
+  apply_immediately        = true
+  backup_retention_period  = 7
+  username                 = "postgres"
+  password                 = random_password.master_password.result
+  allow_major_version_upgrade = true
+  parameter_group_name     = aws_db_parameter_group.default.name
+}
+
+
diff --git a/terraform/veda-wfs3-shared-mcp/s3_event_bridge_lambda.tf b/terraform/veda-wfs3-shared-mcp/s3_event_bridge_lambda.tf
new file mode 100644
index 0000000..77ae894
--- /dev/null
+++ b/terraform/veda-wfs3-shared-mcp/s3_event_bridge_lambda.tf
@@ -0,0 +1,167 @@
+#####################################################
+# Execution Role
+#####################################################
+resource "aws_iam_role" "lambda_exec_role" {
+  provider = aws.west2
+  name = "lambda-exec-role-s3-event-bridge-${var.project_name}-${var.env}"
+  tags = var.tags
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "lambda.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+EOF
+}
+
+###############################
+# Logging
+###############################
+resource "aws_iam_policy" "lambda_logging" {
+  provider = aws.west2
+  name        = "lambda-logging-${var.project_name}-${var.env}"
+  path        = "/"
+  description = "IAM policy for logging from a lambda"
+
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "logs:CreateLogGroup",
+        "logs:CreateLogStream",
+        "logs:PutLogEvents"
+      ],
+      "Resource": "${aws_cloudwatch_log_group.group.arn}",
+      "Effect": "Allow"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy_attachment" "lambda_logs" {
+  provider = aws.west2
+  role       = aws_iam_role.lambda_exec_role.name
+  policy_arn = aws_iam_policy.lambda_logging.arn
+}
+
+###############################
+# SFN StartExecution Policy
+###############################
+resource "aws_iam_policy" "lambda_sfn_start_exec" {
+  provider = aws.west2
+  name        = "lambda-startexec-on-sfn-${var.project_name}-${var.env}"
+  path        = "/"
+  description = "IAM policy for allowing lambda to start execution on SFN"
+
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "states:StartExecution"
+      ],
+      "Resource": "arn:aws:states:us-west-1:853558080719:stateMachine:veda-data-pipelines-dev-vector-stepfunction-discover",
+      "Effect": "Allow"
+    }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy_attachment" "lambda_sfn_start_exec" {
+  provider = aws.west2
+  role       = aws_iam_role.lambda_exec_role.name
+  policy_arn = aws_iam_policy.lambda_sfn_start_exec.arn
+}
+
+###############################
+# MWAA Trigger Permissions
+###############################
+resource "aws_iam_policy" "lambda_trigger_mwaa_job" {
+  provider = aws.west2
+  name        = "lambda-trigger-mwaa-${var.project_name}-${var.env}"
+  path        = "/"
+  description = "IAM policy for allowing lambda to trigger MWAA"
+
+  policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+      {
+          "Effect": "Allow",
+          "Action": "airflow:ListEnvironments",
+          "Resource": "*"
+      },
+      {
+          "Effect": "Allow",
+          "Action": "airflow:*",
+          "Resource": [
+              "arn:aws:airflow:us-west-2:853558080719:environment/veda-pipeline-staging-mwaa",
+              "arn:aws:airflow:us-west-2:853558080719:environment/veda-pipeline-dev-mwaa",
+              "arn:aws:airflow:us-west-2:853558080719:environment/veda-pipeline-sit-mwaa"
+          ]
+      }
+  ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy_attachment" "lambda_trigger_mwaa_job" {
+  provider = aws.west2
+  role       = aws_iam_role.lambda_exec_role.name
+  policy_arn = aws_iam_policy.lambda_trigger_mwaa_job.arn
+}
+
+#####################################################
+# Lambda
+#####################################################
+data "archive_file" "archive" {
+  type        = "zip"
+  source_dir  = "functions/s3_event_bridge_to_sfn_execute"
+  output_path = "s3_event_bridge_to_sfn_execute.zip"
+}
+
+resource "aws_lambda_function" "lambda" {
+  provider = aws.west2
+  filename         = "s3_event_bridge_to_sfn_execute.zip"
+  function_name    = "s3-event-bridge-to-sfn-execute-${var.project_name}-${var.env}"
+  role             = aws_iam_role.lambda_exec_role.arn
+  handler          = "lambda_function.lambda_handler"
+  source_code_hash = data.archive_file.archive.output_base64sha256
+  runtime          = "python3.7"
+  publish          = true
+  tags             = var.tags
+}
+
+resource "aws_cloudwatch_log_group" "group" {
+  provider = aws.west2
+  name              = "/aws/lambda/${aws_lambda_function.lambda.function_name}"
+  retention_in_days = 5
+  tags              = var.tags
+}
+
+#####################################################
+# RESOURCE POLICY for EVENT INVOCATION
+#####################################################
+resource "aws_lambda_permission" "s3_invoke" {
+  provider = aws.west2
+  action           = "lambda:InvokeFunction"
+  function_name    = aws_lambda_function.lambda.function_name
+  principal        = "s3.amazonaws.com"
+  statement_id     = "AllowInvocationFromS3Bucket-${var.project_name}-${var.env}"
+  source_account   = "114506680961"
+  source_arn       = "arn:aws:s3:::veda-data-store-staging"
+}
diff --git a/terraform/veda-wfs3-shared-mcp/secret_manager.tf b/terraform/veda-wfs3-shared-mcp/secret_manager.tf
new file mode 100644
index 0000000..6742919
--- /dev/null
+++ b/terraform/veda-wfs3-shared-mcp/secret_manager.tf
@@ -0,0 +1,47 @@
+########################################################################
+# Key for secrets
+########################################################################
+data "aws_kms_key" "secretsmanager" {
+  key_id = "alias/aws/secretsmanager"
+}
+
+
+########################################################################
+# Secrets
+########################################################################
+resource "random_id" "sm_suffix" {
+  byte_length = 2
+}
+
+resource "aws_secretsmanager_secret" "config" {
+  name                    = "aws-config-${random_id.sm_suffix.hex}"
+  kms_key_id              = data.aws_kms_key.secretsmanager.id
+  tags                    = var.tags
+}
+
+resource "aws_secretsmanager_secret" "db_config" {
+  name                    = "${var.project_name}-${var.env}-db-config-v2"
+  kms_key_id              = data.aws_kms_key.secretsmanager.id
+  tags                    = var.tags
+}
+
+########################################################################
+# Key/Value default to prevent task definitions from stopping at runtime
+########################################################################
+resource "aws_secretsmanager_secret_version" "default" {
+  secret_id     = aws_secretsmanager_secret.config.id
+  secret_string = jsonencode(var.default_secret)
+}
+
+resource "aws_secretsmanager_secret_version" "db" {
+  secret_id     = aws_secretsmanager_secret.db_config.id
+  secret_string = jsonencode({
+    username    = aws_db_instance.db.username,
+    password    = random_password.master_password.result,
+    host        = aws_db_instance.db.address,
+    port        = aws_db_instance.db.port,
+    dbname      = aws_db_instance.db.db_name,
+    engine      = aws_db_instance.db.engine,
+    vpc_id      = data.aws_vpc.vpc.id
+  })
+}
diff --git a/terraform/veda-wfs3-shared-mcp/variables.tf b/terraform/veda-wfs3-shared-mcp/variables.tf
new file mode 100755
index 0000000..b66cebb
--- /dev/null
+++ b/terraform/veda-wfs3-shared-mcp/variables.tf
@@ -0,0 +1,64 @@
+variable "region" {
+}
+
+variable "registry_name" {
+}
+
+variable "env" {
+}
+
+variable "project_name" {
+}
+
+variable "tags" {
+  type        = map
+  default     = {}
+  description = "Optional tags to add to resources"
+}
+
+variable "availability_zones" {
+  type        = list
+  description = "The az that the resources will be launched"
+}
+
+variable service_port {}
+
+# Key/Value default to prevent task definitions from stopping at runtime
+variable default_secret {
+  default = {
+    noop: "noop"
+  }
+  type = map
+}
+
+#variable "dns_zone_name" {
+#}
+#
+#variable "dns_subdomain" {
+#
+#}
+variable "alb_protocol" {}
+
+variable "ecs_protocol" {}
+
+variable "vpc_id" {
+  type        = string
+  description = "ID of the existing VPC to deploy into. This should come from an environment variable sourced from /.envtf.sh. See `envtf.template`"
+  sensitive   = true
+}
+
+variable "private_subnet_tag" {
+  type        = map
+  description = "key/value that will be used by the data sources to search for the correct private subnet to add the ECS service to. defaults below are for UAH"
+  default = {
+    "aws-cdk:subnet-name" : "*private*"
+  }
+}
+
+variable "public_subnet_tag" {
+  type        = map
+  description = "key/value that will be used by the data sources to search for the correct public subnet to add the ECS service to. defaults below are for UAH"
+  default = {
+    "aws-cdk:subnet-name" : "*public*"
+  }
+}
diff --git a/terraform/veda-wfs3-shared-mcp/vars/dev.tf b/terraform/veda-wfs3-shared-mcp/vars/dev.tf
new file mode 100644
index 0000000..cfcfc2c
--- /dev/null
+++ b/terraform/veda-wfs3-shared-mcp/vars/dev.tf
@@ -0,0 +1,13 @@
+region             = "us-west-2"
+registry_name      = "veda-wfs3-registry"
+env                = "dev"
+project_name       = "veda-wfs3"
+availability_zones = ["us-west-1a", "us-west-1b"]
+service_port       = 8080
+dns_zone_name      = ""
+dns_subdomain      = ""
+alb_protocol       = "HTTPS"
+tags               = {"project": "veda", "service": "wfs3"}
+default_secret     = {
+    "noop": "boop",
+}
diff --git a/terraform/veda-wfs3-shared-mcp/vars/prod.tf b/terraform/veda-wfs3-shared-mcp/vars/prod.tf
new file mode 100644
index 0000000..6ef0b8e
--- /dev/null
+++ b/terraform/veda-wfs3-shared-mcp/vars/prod.tf
@@ -0,0 +1,14 @@
+region             = "us-west-2"
+registry_name      = "veda-wfs3-registry"
+env                = "prod"
+project_name       = "veda-wfs3"
+availability_zones = ["us-west-2a", "us-west-2b"]
+service_port       = 8080
+#dns_zone_name      = "delta-backend.com"
+#dns_subdomain      = "testing"
+alb_protocol       = "HTTP"
+ecs_protocol       = "HTTP"
+tags               = {"project": "veda", "service": "wfs3"}
+default_secret     = {
+    "noop": "boop",
+}
diff --git a/terraform/veda-wfs3-shared-mcp/vpc.tf b/terraform/veda-wfs3-shared-mcp/vpc.tf
new file mode 100644
index 0000000..903ddd4
--- /dev/null
+++ b/terraform/veda-wfs3-shared-mcp/vpc.tf
@@ -0,0 +1,64 @@
+data "aws_vpc" "vpc" {
+  id = "${var.vpc_id}"
+}
+
+data "aws_security_group" "default" {
+  vpc_id = "${data.aws_vpc.vpc.id}"
+
+  filter {
+    name   = "group-name"
+    values = ["default"]
+  }
+}
+
+data "aws_subnets" "private_subnet_ids" {
+  filter {
+    name   = "vpc-id"
+    values = ["${data.aws_vpc.vpc.id}"]
+  }
+
+  tags = {
+    "${tolist(keys(var.private_subnet_tag))[0]}" = "${tolist(values(var.private_subnet_tag))[0]}"
+  }
+}
+
+data "aws_subnets" "public_subnet_ids" {
+  filter {
+    name   = "vpc-id"
+    values = ["${data.aws_vpc.vpc.id}"]
+  }
+
+  tags = {
+    "${tolist(keys(var.public_subnet_tag))[0]}" = "${tolist(values(var.public_subnet_tag))[0]}"
+  }
+}
+
+resource "aws_security_group_rule" "ecs_service_port_addon" {
+  description = "opened for ECS service port"
+  type        = "ingress"
+  from_port   = var.service_port
+  to_port     = var.service_port
+  protocol    = "tcp"
+  security_group_id        = "${data.aws_security_group.default.id}"
+  source_security_group_id = "${data.aws_security_group.default.id}"
+
+  lifecycle {
+    # Necessary if changing 'name' or 'name_prefix' properties.
+    create_before_destroy = true
+  }
+}
+
+resource "aws_security_group_rule" "rds_ingress_addon" {
+  description = "Allow ESC to talk to RDS"
+  type        = "ingress"
+  from_port   = 5432
+  to_port     = 5432
+  protocol    = "tcp"
+  security_group_id        = "${data.aws_security_group.default.id}"
+  source_security_group_id = "${module.ecs_cluster.service_security_group_id}"
+
+  lifecycle {
+    # Necessary if changing 'name' or 'name_prefix' properties.
+    create_before_destroy = true
+  }
+}
diff --git a/terraform/veda-wfs3/ecs_api.tf b/terraform/veda-wfs3/ecs_api.tf
index 1edbdfe..24c9631 100644
--- a/terraform/veda-wfs3/ecs_api.tf
+++ b/terraform/veda-wfs3/ecs_api.tf
@@ -67,7 +67,7 @@ module "ecs_cluster" {
     {
       // stupid hack b/c of FastAPI and Starlette bug
       name = "FAST_API_SCHEME"
-      value = var.env == "west2-staging" ? "https" : "http"
+      value = "${var.ecs_protocol}"
     },
     {
       name = "TIPG_CATALOG_TTL"
@@ -80,7 +80,7 @@ module "ecs_cluster" {
 
   use_adot_as_sidecar = true
   use_ecr = true
-  ecr_repository_name = module.ecr_registry.registry_name
+  ecr_repository_arn  = module.ecr_registry.registry_arn
   image = "${module.ecr_registry.repository_url}:latest"
 
   load_balancer = true
diff --git a/terraform/veda-wfs3/variables.tf b/terraform/veda-wfs3/variables.tf
index 7645237..cd18e2d 100755
--- a/terraform/veda-wfs3/variables.tf
+++ b/terraform/veda-wfs3/variables.tf
@@ -46,3 +46,5 @@ variable "dns_subdomain" {
 
 variable "alb_protocol" {}
 
+variable "ecs_protocol" {}
+
diff --git a/terraform/veda-wfs3/vars/dev.tf b/terraform/veda-wfs3/vars/dev.tf
index 13c5122..e90c6f5 100644
--- a/terraform/veda-wfs3/vars/dev.tf
+++ b/terraform/veda-wfs3/vars/dev.tf
@@ -6,6 +6,8 @@ availability_zones = ["us-west-1a", "us-west-1b"]
 service_port       = 8080
 dns_zone_name      = ""
 dns_subdomain      = ""
+alb_protocol       = "HTTPS"
+ecs_protocol       = "HTTP"
 tags               = {"project": "veda", "service": "wfs3"}
 default_secret     = {
     "noop": "boop",
diff --git a/terraform/veda-wfs3/vars/west2-staging.tf b/terraform/veda-wfs3/vars/west2-staging.tf
index 8b6ab5c..e5565ae 100644
--- a/terraform/veda-wfs3/vars/west2-staging.tf
+++ b/terraform/veda-wfs3/vars/west2-staging.tf
@@ -7,6 +7,7 @@ service_port       = 8080
 dns_zone_name      = "delta-backend.com"
 dns_subdomain      = "firenrt"
 alb_protocol       = "HTTPS"
+ecs_protocol       = "HTTPS"
 tags               = {"project": "veda", "service": "wfs3"}
 default_secret     = {
     "noop": "boop",
diff --git a/veda-wfs3-app/Dockerfile b/veda-wfs3-app/Dockerfile
index 3efd428..2da3787 100644
--- a/veda-wfs3-app/Dockerfile
+++ b/veda-wfs3-app/Dockerfile
@@ -17,6 +17,7 @@ RUN apt-get -y update \
             locales \
             tzdata \
             wget \
+            postgresql-client-13 \
     && apt-get clean -y \
     && rm -rf /var/lib/apt/lists/*
 
diff --git a/veda-wfs3-app/startup.sh b/veda-wfs3-app/startup.sh
index 867512f..36440f3 100644
--- a/veda-wfs3-app/startup.sh
+++ b/veda-wfs3-app/startup.sh
@@ -1,6 +1,25 @@
 ################################################################
 # FAST API
 #################################################################
-opentelemetry-bootstrap --action=install \
-  && opentelemetry-instrument python /opt/bitnami/python/bin/uvicorn \
-  fast_api_main:app --proxy-headers --forwarded-allow-ips="*"  --host 0.0.0.0 --port 8080
+echo "######## DB SETUP ########" | tee /dev/stderr
+echo $DB_CONFIG | jq -r "to_entries|map(\"export \(.key)=\(.value|tostring)\")|.[]" > .env
+chmod 777 .env && source .env
+psql -d "postgresql://${username}:${password}@${host}/${dbname}" -c "CREATE EXTENSION IF NOT EXISTS postgis;"
+psqloutput=$(psql -d "postgresql://${username}:${password}@${host}/${dbname}" -c "SELECT extname FROM pg_extension WHERE extname = 'postgis';")
+echo $psqloutput | tee /dev/stderr
+echo "######## END DB SETUP ########" | tee /dev/stderr
+
+if [ "$ENVIRONMENT" == "prod" ]; then
+  echo "[ ENVIRONMENT PROD WITH ROOT PATH ]"
+  /opt/bitnami/python/bin/uvicorn fast_api_main:app --proxy-headers --forwarded-allow-ips="*"  --host 0.0.0.0 --port 8080 --root-path=/api/features
+elif [ "$ENVIRONMENT" == "dev" ]; then
+  /opt/bitnami/python/bin/uvicorn fast_api_main:app --proxy-headers --forwarded-allow-ips="*"  --host 0.0.0.0 --port 8080
+elif [ "$ENVIRONMENT" == "west2-staging" ]; then
+  opentelemetry-bootstrap --action=install \
+    && opentelemetry-instrument python /opt/bitnami/python/bin/uvicorn \
+    fast_api_main:app --proxy-headers --forwarded-allow-ips="*"  --host 0.0.0.0 --port 8080
+else
+  echo "[ ENVIRONMENT UNKNOWN ]: value='$ENVIRONMENT'...exiting"
+  exit 1
+fi
+