diff --git a/grafana/non-prod/terraform/.gitignore b/grafana/non-prod/terraform/.gitignore
new file mode 100644
index 000000000..ad9e03dcc
--- /dev/null
+++ b/grafana/non-prod/terraform/.gitignore
@@ -0,0 +1,7 @@
+# Compiled files
+*.tfstate
+*.tfstate.backup
+.terraform.tfstate.lock.info
+
+# Module directory
+.terraform/
\ No newline at end of file
diff --git a/grafana/non-prod/terraform/.terraform.lock.hcl b/grafana/non-prod/terraform/.terraform.lock.hcl
new file mode 100644
index 000000000..397338b48
--- /dev/null
+++ b/grafana/non-prod/terraform/.terraform.lock.hcl
@@ -0,0 +1,74 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/aws" {
+  version     = "5.91.0"
+  constraints = "~> 5.0"
+  hashes = [
+    "h1:bZ3AM8Qd1veQoUJqOb7OVp/ElmLg/hkz3bHL2DZZ5Tk=",
+    "zh:03ee14261b25aee94c735ed6ef7cce47900ab7bdf462335432ca034d0ba74ca2",
+    "zh:32a3759049c9c2cd041d1257cf16cb90a5ce586e1d0a6fe5f8ebd0ec1ba8e071",
+    "zh:334db69bc6d8643ec4ea432f0e54e851c2394bbe889cca29ca5029db0e4699e8",
+    "zh:39957a4a900f100ea8d85845a42164a44c9efea8559a9e74ab4f6a1193e20c3e",
+    "zh:8831396c764815eb367601a522c51c2e9e8fc38bcaa5f5e83f21de771778e9ba",
+    "zh:8e71ab68c27f909892a063f845d92faa487297ad9bbc67c77a67194e509781e6",
+    "zh:944df1084a7ea37a4feea0ee6654fd15891ef4829c5453bc149ffbcc0ab9bad7",
+    "zh:964391527624f2e66a4eb387ad0a30a1b67a896e9395b6d01353f2572723ea03",
+    "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
+    "zh:bb956c660185161e8ce1ed1dbf187c9f549d1779673fe798211dd5b02b98c737",
+    "zh:c237199ca8cd88f4aab4c673f848c77670b90d98a484fef6bcd31a71ff63d9b9",
+    "zh:c7522f6072f8ba29f4a6d0f994eda8a381ed2f4a41dbe44c4d989c44852cfe63",
+    "zh:d412a852ced01433c44f222952b60974f7c297a8a21bef62c9a627b050084134",
+    "zh:e420266b772041fa89e5868594ed21c8c3090d76b3ec0262054f768a7807f5a7",
+    "zh:ecfcc7844e9e01123920a4b0e667a4688654e3f22f00890ec80ddd78e7312eda",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/null" {
+  version = "3.2.3"
+  hashes = [
+    "h1:I0Um8UkrMUb81Fxq/dxbr3HLP2cecTH2WMJiwKSrwQY=",
+    "zh:22d062e5278d872fe7aed834f5577ba0a5afe34a3bdac2b81f828d8d3e6706d2",
+    "zh:23dead00493ad863729495dc212fd6c29b8293e707b055ce5ba21ee453ce552d",
+    "zh:28299accf21763ca1ca144d8f660688d7c2ad0b105b7202554ca60b02a3856d3",
+    "zh:55c9e8a9ac25a7652df8c51a8a9a422bd67d784061b1de2dc9fe6c3cb4e77f2f",
+    "zh:756586535d11698a216291c06b9ed8a5cc6a4ec43eee1ee09ecd5c6a9e297ac1",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:9d5eea62fdb587eeb96a8c4d782459f4e6b73baeece4d04b4a40e44faaee9301",
+    "zh:a6355f596a3fb8fc85c2fb054ab14e722991533f87f928e7169a486462c74670",
+    "zh:b5a65a789cff4ada58a5baffc76cb9767dc26ec6b45c00d2ec8b1b027f6db4ed",
+    "zh:db5ab669cf11d0e9f81dc380a6fdfcac437aea3d69109c7aef1a5426639d2d65",
+    "zh:de655d251c470197bcbb5ac45d289595295acb8f829f6c781d4a75c8c8b7c7dd",
+    "zh:f5c68199f2e6076bce92a12230434782bf768103a427e9bb9abee99b116af7b5",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/template" {
+  version     = "2.2.0"
+  constraints = "~> 2.2.0"
+  hashes = [
+    "h1:44Le5zVomtfOfKUsH+utlMXOcHwPe4CWyCi+0f8y0XQ=",
+  ]
+}
+
+provider "registry.terraform.io/kreuzwerker/docker" {
+  version     = "3.0.2"
+  constraints = "3.0.2"
+  hashes = [
+    "h1:XjdpVL61KtTsuPE8swok3GY8A+Bu3TZs8T2DOEpyiXo=",
+    "zh:15b0a2b2b563d8d40f62f83057d91acb02cd0096f207488d8b4298a59203d64f",
+    "zh:23d919de139f7cd5ebfd2ff1b94e6d9913f0977fcfc2ca02e1573be53e269f95",
+    "zh:38081b3fe317c7e9555b2aaad325ad3fa516a886d2dfa8605ae6a809c1072138",
+    "zh:4a9c5065b178082f79ad8160243369c185214d874ff5048556d48d3edd03c4da",
+    "zh:5438ef6afe057945f28bce43d76c4401254073de01a774760169ac1058830ac2",
+    "zh:60b7fadc287166e5c9873dfe53a7976d98244979e0ab66428ea0dea1ebf33e06",
+    "zh:61c5ec1cb94e4c4a4fb1e4a24576d5f39a955f09afb17dab982de62b70a9bdd1",
+    "zh:a38fe9016ace5f911ab00c88e64b156ebbbbfb72a51a44da3c13d442cd214710",
+    "zh:c2c4d2b1fd9ebb291c57f524b3bf9d0994ff3e815c0cd9c9bcb87166dc687005",
+    "zh:d567bb8ce483ab2cf0602e07eae57027a1a53994aba470fa76095912a505533d",
+    "zh:e83bf05ab6a19dd8c43547ce9a8a511f8c331a124d11ac64687c764ab9d5a792",
+    "zh:e90c934b5cd65516fbcc454c89a150bfa726e7cf1fe749790c7480bbeb19d387",
+    "zh:f05f167d2eaf913045d8e7b88c13757e3cf595dd5cd333057fdafc7c4b7fed62",
+    "zh:fcc9c1cea5ce85e8bcb593862e699a881bd36dffd29e2e367f82d15368659c3d",
+  ]
+}
diff --git a/grafana/non-prod/terraform/all.tf b/grafana/non-prod/terraform/all.tf
new file mode 100644
index 000000000..20dba833d
--- /dev/null
+++ b/grafana/non-prod/terraform/all.tf
@@ -0,0 +1,551 @@
+# alb.tf
+
+resource "aws_alb" "main" {
+  name            = "${var.prefix}-alb"
+  subnets         = aws_subnet.grafana_public[*].id
+  security_groups = [aws_security_group.lb.id]
+}
+
+resource "aws_alb_target_group" "app" {
+  name        = "${var.prefix}-alb-tg"
+  port        = 3000
+  protocol    = "HTTP"
+  vpc_id      = aws_vpc.grafana_main.id
+  target_type = "ip"
+
+  health_check {
+    healthy_threshold   = 3
+    interval            = 30
+    protocol            = "HTTP"
+    matcher             = "200"
+    timeout             = 3
+    path                =  "/api/health" # Grafana health check endpoint
+    unhealthy_threshold = 2
+  }
+}
+
+# Redirect all traffic from the ALB to the target group
+resource "aws_alb_listener" "front_end" {
+  load_balancer_arn = aws_alb.main.id
+  port              = var.app_port
+  protocol          = "HTTP"
+  default_action {
+    target_group_arn = aws_alb_target_group.app.id
+    type             = "forward"
+  }
+  tags = merge(var.tags, {
+    Name = "${var.prefix}-alb-listener"
+  })
+}
+############################################################################################################
+# auto_scaling.tf
+
+resource "aws_appautoscaling_target" "target" {
+  service_namespace  = "ecs"
+  resource_id        = "service/${aws_ecs_cluster.main.name}/${aws_ecs_service.main.name}"
+  scalable_dimension = "ecs:service:DesiredCount"
+  role_arn           = aws_iam_role.ecs_auto_scale_role.arn
+  min_capacity       = 1
+  max_capacity       = 1
+  tags = merge(var.tags, {
+    Name = "${var.prefix}-aas-tgt"
+  })
+}
+
+# Automatically scale capacity up by one
+resource "aws_appautoscaling_policy" "up" {
+  name               = "grafana_scale_up"
+  service_namespace  = "ecs"
+  resource_id        = "service/${aws_ecs_cluster.main.name}/${aws_ecs_service.main.name}"
+  scalable_dimension = "ecs:service:DesiredCount"
+
+  step_scaling_policy_configuration {
+    adjustment_type         = "ChangeInCapacity"
+    cooldown                = 60
+    metric_aggregation_type = "Maximum"
+
+    step_adjustment {
+      metric_interval_lower_bound = 0
+      scaling_adjustment          = 1
+    }
+  }
+
+  depends_on = [aws_appautoscaling_target.target]
+
+}
+
+# Automatically scale capacity down by one
+resource "aws_appautoscaling_policy" "down" {
+  name               = "grafana_scale_down"
+  service_namespace  = "ecs"
+  resource_id        = "service/${aws_ecs_cluster.main.name}/${aws_ecs_service.main.name}"
+  scalable_dimension = "ecs:service:DesiredCount"
+
+  step_scaling_policy_configuration {
+    adjustment_type         = "ChangeInCapacity"
+    cooldown                = 60
+    metric_aggregation_type = "Maximum"
+
+    step_adjustment {
+      metric_interval_lower_bound = 0
+      scaling_adjustment          = -1
+    }
+  }
+
+  depends_on = [aws_appautoscaling_target.target]
+}
+############################################################################################################
+# ecs.tf
+# ecs.tf
+
+resource "aws_ecs_cluster" "main" {
+    name = "grafana-cluster"
+}
+
+data "template_file" "grafana_app" {
+    template = file("${path.module}/templates/ecs/grafana_app.json.tpl")
+
+    vars = {
+        app_image      = local.app_image
+        app_port       = var.app_port
+        fargate_cpu    = var.fargate_cpu
+        fargate_memory = var.fargate_memory
+        aws_region     = var.aws_region
+        log_group      = var.log_group
+        health_check_path = var.health_check_path
+    }
+}
+
+resource "aws_ecs_task_definition" "app" {
+    family                   = "grafana-app-task"
+    execution_role_arn       = aws_iam_role.ecs_task_execution_role.arn
+    task_role_arn            = aws_iam_role.ecs_task_role.arn    
+    network_mode             = "awsvpc"
+    requires_compatibilities = ["FARGATE"]
+    cpu                      = var.fargate_cpu
+    memory                   = var.fargate_memory
+    container_definitions    = data.template_file.grafana_app.rendered
+    tags = merge(var.tags, {
+        Name = "${var.prefix}-ecs-task"
+    })
+
+}
+
+
+resource "aws_ecs_service" "main" {
+  name            = "${var.prefix}-ecs-svc"
+  cluster         = aws_ecs_cluster.main.id
+  task_definition = aws_ecs_task_definition.app.arn
+  desired_count   = var.app_count
+  launch_type     = "FARGATE"
+
+  network_configuration {
+    security_groups  = [aws_security_group.ecs_tasks.id]
+    subnets          = aws_subnet.grafana_private[*].id
+    assign_public_ip = true
+  }
+
+  load_balancer {
+    target_group_arn = aws_alb_target_group.app.id
+    container_name   = "grafana-app"
+    container_port   = var.app_port
+  }
+}
+############################################################################################################
+# iam.tf
+resource "aws_iam_policy" "route53resolver_policy" {
+  name        = "${var.prefix}-route53resolver-policy"
+  description = "Policy to allow Route 53 Resolver DNS Firewall actions"
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect = "Allow",
+        Action = [
+          "route53resolver:ListFirewallRuleGroupAssociations",
+          "route53resolver:ListFirewallRuleGroups",
+          "route53resolver:ListFirewallRules"
+        ],
+        Resource = "*"
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "route53resolver_policy_attachment" {
+  role       = aws_iam_role.ecs_task_execution_role.name
+  policy_arn = aws_iam_policy.route53resolver_policy.arn
+}
+
+## Task Execution Role (ecs_task_execution_role):
+## This role is used by the ECS agent to pull container images from 
+## Amazon ECR, and to store and retrieve logs in Amazon CloudWatch.
+## It grants permissions needed for ECS to start and manage tasks
+resource "aws_iam_role" "ecs_task_execution_role" {
+  name = "${var.prefix}-ecs-task-execution-role"
+
+  assume_role_policy = <<EOF
+{
+ "Version": "2012-10-17",
+ "Statement": [
+   {
+     "Action": "sts:AssumeRole",
+     "Principal": {
+       "Service": "ecs-tasks.amazonaws.com"
+     },
+     "Effect": "Allow",
+     "Sid": ""
+   }
+ ]
+}
+EOF
+}
+
+resource "aws_iam_policy" "ecs_task_execution_policy" {
+  name        = "${var.prefix}-ecs-task-execution-policy"
+  description = "Policy for ECS task execution role to access ECR and CloudWatch Logs"
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect = "Allow",
+  "Action": [
+    "ecr:GetDownloadUrlForLayer",
+    "ecr:BatchGetImage",
+    "ecr:BatchCheckLayerAvailability",
+    "ecr:GetAuthorizationToken",
+        "logs:CreateLogGroup",
+    "logs:CreateLogStream",
+    "logs:PutLogEvents",
+    "s3:*"
+  ],
+        Resource = "*"
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "ecs_task_execution_policy_attachment" {
+  role       = aws_iam_role.ecs_task_execution_role.name
+  policy_arn = aws_iam_policy.ecs_task_execution_policy.arn
+}
+
+
+resource "aws_iam_role_policy_attachment" "ecs-task-execution-role-policy-attachment" {
+  role       = aws_iam_role.ecs_task_execution_role.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
+}
+
+# This role is assumed by the containers running within the task.
+# It grants permissions that the application inside the container 
+# needs to interact with other AWS services (e.g., accessing S3, 
+# DynamoDB, etc.).
+resource "aws_iam_role" "ecs_task_role" {
+  name = "${var.prefix}-ecs-task-role"
+
+  assume_role_policy = <<EOF
+{
+ "Version": "2012-10-17",
+ "Statement": [
+   {
+     "Action": "sts:AssumeRole",
+     "Principal": {
+       "Service": "ecs-tasks.amazonaws.com"
+     },
+     "Effect": "Allow",
+     "Sid": ""
+   }
+ ]
+}
+EOF
+}
+
+        # Resource = ${aws_iam_role.monitoring_role.arn}
+
+
+resource "aws_iam_policy" "ecs_task_policy" {
+  name        = "${var.prefix}-ecs-task-policy"
+  description = "Policy for ECS task role to access CloudWatch Logs"
+  policy = jsonencode({
+    Version = "2012-10-17",
+    Statement = [
+      {
+        Effect = "Allow",
+        Action = [
+          "logs:CreateLogGroup",
+           "logs:CreateLogStream",
+           "logs:PutLogEvents",
+         ],
+        Resource = "*"
+      }
+    ]
+  })
+}
+resource "aws_iam_role_policy_attachment" "task_logs" {
+  role       = aws_iam_role.ecs_task_role.name
+  policy_arn = aws_iam_policy.ecs_task_policy.arn
+}
+resource "aws_iam_role_policy_attachment" "task_s3" {
+  role       = aws_iam_role.ecs_task_role.name
+  policy_arn = "arn:aws:iam::aws:policy/AmazonS3FullAccess"
+}
+data "aws_iam_policy_document" "ecs_auto_scale_role" {
+  version = "2012-10-17"
+  statement {
+    effect = "Allow"
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["application-autoscaling.amazonaws.com"]
+    }
+  }
+}
+# ECS auto scale role
+resource "aws_iam_role" "ecs_auto_scale_role" {
+  name               = "${var.prefix}-${var.ecs_auto_scale_role_name}"
+  assume_role_policy = data.aws_iam_policy_document.ecs_auto_scale_role.json
+}
+# ECS auto scale role policy attachment
+resource "aws_iam_role_policy_attachment" "ecs_auto_scale_role" {
+  role       = aws_iam_role.ecs_auto_scale_role.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceAutoscaleRole"
+}
+
+# Monitoring role
+resource "aws_iam_role" "monitoring_role" {
+
+  name = "${var.prefix}-monitoring-role"
+
+  assume_role_policy = jsonencode({
+    "Version": "2012-10-17",
+    "Statement": [
+      {
+        "Effect": "Allow",
+        "Action": "sts:AssumeRole",
+        "Principal": {
+          "Service": "ecs-tasks.amazonaws.com"
+        }
+      },
+      {
+        Effect = "Allow",
+        Principal = {
+          AWS = aws_iam_role.ecs_task_role.arn
+        },
+        Action = "sts:AssumeRole"
+      }
+    ]
+  })
+}
+
+resource "aws_iam_role_policy" "monitoring_policy" {
+  name   = "${var.prefix}-monitoring-policy"
+  role   = aws_iam_role.monitoring_role.id
+
+  policy = jsonencode({
+    "Version": "2012-10-17",
+    "Statement": [
+      {
+        "Sid": "AllowReadingMetricsFromCloudWatch",
+        "Effect": "Allow",
+        "Action": [
+          "cloudwatch:DescribeAlarmsForMetric",
+          "cloudwatch:DescribeAlarmHistory",
+          "cloudwatch:DescribeAlarms",
+          "cloudwatch:ListMetrics",
+          "cloudwatch:GetMetricData",
+          "cloudwatch:GetInsightRuleReport"
+        ],
+        "Resource": "*"
+      },
+      {
+        "Sid": "AllowReadingResourceMetricsFromPerformanceInsights",
+        "Effect": "Allow",
+        "Action": "pi:GetResourceMetrics",
+        "Resource": "*"
+      },
+      {
+        "Sid": "AllowReadingLogsFromCloudWatch",
+        "Effect": "Allow",
+        "Action": [
+          "logs:DescribeLogGroups",
+          "logs:DescribeLogStreams",
+          "logs:GetLogEvents",
+          "logs:FilterLogEvents",
+          "logs:GetLogGroupFields",
+          "logs:StartQuery",
+          "logs:StopQuery",
+          "logs:GetQueryResults"
+        ],
+        "Resource": "*"
+      },
+      {
+        "Sid": "AllowReadingTagsInstancesRegionsFromEC2",
+        "Effect": "Allow",
+        "Action": [
+          "ec2:DescribeTags",
+          "ec2:DescribeInstances",
+          "ec2:DescribeRegions"
+        ],
+        "Resource": "*"
+      },
+      {
+        "Sid": "AllowReadingResourcesForTags",
+        "Effect": "Allow",
+        "Action": "tag:GetResources",
+        "Resource": "*"
+      }
+    ]
+  })
+}
+############################################################################################################
+# network.tf
+
+# Fetch AZs in the current region
+data "aws_availability_zones" "available" {}
+
+resource "aws_vpc" "grafana_main" {
+    cidr_block = var.cidr_block
+    // enable dns resolution
+    enable_dns_support = true
+    enable_dns_hostnames = true
+    tags = {
+        Name = "${var.prefix}-vpc"
+    }
+}
+
+
+# Create var.az_count private subnets, each in a different AZ
+resource "aws_subnet" "grafana_private" {
+    count             = var.az_count
+    cidr_block        = cidrsubnet(aws_vpc.grafana_main.cidr_block, 8, count.index)
+    availability_zone = data.aws_availability_zones.available.names[count.index]
+    vpc_id            = aws_vpc.grafana_main.id
+    tags = merge(var.tags, {
+        Name = "${var.prefix}-private-subnet-${count.index}"
+    })
+}
+
+
+# Create var.az_count public subnets, each in a different AZ
+resource "aws_subnet" "grafana_public" {
+    count                   = var.az_count
+    cidr_block              = cidrsubnet(aws_vpc.grafana_main.cidr_block, 8, var.az_count + count.index)
+    availability_zone       = data.aws_availability_zones.available.names[count.index]
+    vpc_id                  = aws_vpc.grafana_main.id
+    map_public_ip_on_launch = true
+    tags = merge(var.tags, {
+        Name = "${var.prefix}-public-subnet-${count.index}"
+    })
+}
+
+
+# Internet Gateway for the public subnet
+resource "aws_internet_gateway" "gw" {
+    vpc_id = aws_vpc.grafana_main.id
+    tags = merge(var.tags, {
+        Name = "${var.prefix}-igw"
+    })
+}
+
+# Route the public subnet traffic through the IGW
+resource "aws_route" "internet_access" {
+    route_table_id         = aws_vpc.grafana_main.main_route_table_id
+    destination_cidr_block = "0.0.0.0/0"
+    gateway_id             = aws_internet_gateway.gw.id    
+}
+
+# Create a new route table for the private subnets
+resource "aws_route_table" "private" {
+    count  = var.az_count
+    vpc_id = aws_vpc.grafana_main.id
+    tags = merge(var.tags, {
+        Name = "${var.prefix}-private-rt-${count.index}"
+    })
+}
+
+# Route the private subnet traffic through the NAT Gateway
+resource "aws_route" "private_nat_gateway" {
+  count          = var.az_count
+  route_table_id = element(aws_route_table.private[*].id, count.index)
+  destination_cidr_block = "0.0.0.0/0"
+  nat_gateway_id         = aws_nat_gateway.nat.id
+}
+
+
+# Explicitly associate the newly created route tables to the private subnets (so they don't default to the main route table)
+resource "aws_route_table_association" "private" {
+    count          = var.az_count
+    subnet_id      = element(aws_subnet.grafana_private[*].id, count.index)
+    route_table_id = element(aws_route_table.private[*].id, count.index)
+}
+
+
+############################################################################################################
+# security.tf
+
+# Security group for the ALB
+resource "aws_security_group" "lb" {
+  name        = "grafana-load-balancer-security-group" # @TODO ${var.prefix}-alb-sg"
+  description = "controls access to the ALB"
+  vpc_id      = aws_vpc.grafana_main.id
+
+  ingress {
+    protocol    = "tcp"
+    from_port   = var.app_port
+    to_port     = var.app_port
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    protocol    = "-1"
+    from_port   = 0
+    to_port     = 0
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = merge(var.tags, {
+    Name = "${var.prefix}-alb-sg"
+  })
+}
+
+# Security group for ECS tasks
+resource "aws_security_group" "ecs_tasks" {
+  name        = "cb-ecs-tasks-security-group"
+  description = "allow inbound access from the ALB only"
+  vpc_id      = aws_vpc.grafana_main.id
+
+  ingress {
+    protocol        = "tcp"
+    from_port       = var.app_port
+    to_port         = var.app_port
+    security_groups = [aws_security_group.lb.id]
+  }
+
+  egress {
+    protocol    = "-1"
+    from_port   = 0
+    to_port     = 0
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+  tags = merge(var.tags, {
+    Name = "${var.prefix}-sg-ecs-tasks"
+  })
+}
+
+# Elastic IP & NAT Gateway for egress traffic
+resource "aws_eip" "nat" {
+  domain = "vpc"
+  tags = merge(var.tags, {
+    Name = "${var.prefix}-nat-eip"
+  })
+}
+
+
+resource "aws_nat_gateway" "nat" {
+  allocation_id = aws_eip.nat.id
+  subnet_id     = element(aws_subnet.grafana_public[*].id, 0) 
+  tags = merge(var.tags, {
+    Name = "${var.prefix}-nat-gw"
+  })
+}
\ No newline at end of file
diff --git a/grafana/non-prod/terraform/logs.tf b/grafana/non-prod/terraform/logs.tf
new file mode 100644
index 000000000..5f7e3ba68
--- /dev/null
+++ b/grafana/non-prod/terraform/logs.tf
@@ -0,0 +1,18 @@
+############################################################################################################
+#logs.tf
+# logs.tf
+
+# Set up CloudWatch group and log stream and retain logs for 30 days
+resource "aws_cloudwatch_log_group" "grafana_log_group" {
+  name              = var.log_group
+  retention_in_days = 30
+
+  tags = merge(var.tags, {
+      Name = "${var.prefix}-log-group"
+  })
+}
+
+resource "aws_cloudwatch_log_stream" "grafana_log_group" {
+  name           = "${var.prefix}-log-stream"
+  log_group_name = aws_cloudwatch_log_group.grafana_log_group.name
+}
diff --git a/grafana/non-prod/terraform/main.tf b/grafana/non-prod/terraform/main.tf
new file mode 100644
index 000000000..cda1e2f87
--- /dev/null
+++ b/grafana/non-prod/terraform/main.tf
@@ -0,0 +1,77 @@
+# main.tf 
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5"
+    }
+    docker = {
+      source  = "kreuzwerker/docker"
+      version = "3.0.2"
+    }
+    template = {
+      source  = "hashicorp/template"
+      version = "~> 2.2.0"
+    }
+  }
+  backend "s3" {
+    region = "eu-west-2"
+    key    = "state"
+  }
+  required_version = ">= 1.5.0"
+}
+
+provider "aws" {
+  region  = var.aws_region
+  profile = "apim-dev"
+  default_tags {
+    tags = var.tags
+  }
+}
+
+provider "aws" {
+  alias   = "acm_provider"
+  region  = var.aws_region
+  profile = "apim-dev"
+}
+
+data "aws_region" "current" {}
+data "aws_caller_identity" "current" {}
+############################################################################################################
+
+resource "null_resource" "vpce_message" {
+  count = var.use_natgw ? 0 : 1
+  provisioner "local-exec" {
+    command = "echo 'Building VPC Endpoint module...'"
+  }
+}
+resource "null_resource" "natgw_message" {
+  count = var.use_natgw ? 1 : 0
+  provisioner "local-exec" {
+    command = "echo 'Building NAT Gateway module...'"
+  }
+}
+
+
+// add natgw module - only if use_natgw is true
+module "natgw" {
+  source = "./natgw"
+  count  = var.use_natgw ? 1 : 0
+  aws_region = var.aws_region
+  tags = var.tags
+  prefix = var.prefix
+  public_subnet_ids = aws_subnet.grafana_public[*].id
+}
+
+# add vpce module - only if natgw is not used
+module "vpce" {
+  source = "./vpce"
+  count  = var.use_natgw ? 0 : 1
+  aws_region = var.aws_region
+  tags = var.tags
+  prefix = var.prefix
+  private_subnet_ids = aws_subnet.grafana_private[*].id
+  vpc_id = aws_vpc.grafana_main.id
+  ecs_sg_id = aws_security_group.ecs_tasks.id
+  route_table_ids = aws_route_table.private[*].id
+}
\ No newline at end of file
diff --git a/grafana/non-prod/terraform/natgw/natgw.tf b/grafana/non-prod/terraform/natgw/natgw.tf
new file mode 100644
index 000000000..31d62406f
--- /dev/null
+++ b/grafana/non-prod/terraform/natgw/natgw.tf
@@ -0,0 +1,16 @@
+# # Elastic IP & NAT Gateway for egress traffic
+resource "aws_eip" "nat" {
+  domain = "vpc"
+  tags = merge(var.tags, {
+    Name = "${var.prefix}-nat-eip"
+  })
+}
+
+
+resource "aws_nat_gateway" "nat" {
+  allocation_id = aws_eip.nat.id
+  subnet_id     = element(var.public_subnet_ids, 0) 
+  tags = merge(var.tags, {
+    Name = "${var.prefix}-nat-gw"
+  })
+}
\ No newline at end of file
diff --git a/grafana/non-prod/terraform/natgw/variables.tf b/grafana/non-prod/terraform/natgw/variables.tf
new file mode 100644
index 000000000..a04b80734
--- /dev/null
+++ b/grafana/non-prod/terraform/natgw/variables.tf
@@ -0,0 +1,18 @@
+variable "aws_region" {
+    description = "Destination AWS region"
+}
+
+variable "tags" {
+  description = "A map of tags to add to all resources"
+  type        = map(string)
+  default     = {}
+}
+
+variable "prefix" {
+  description = "Prefix for all resources"
+}
+
+variable "public_subnet_ids" {
+  description = "IDs of the public subnets"
+  type        = list(string)
+}
diff --git a/grafana/non-prod/terraform/output.tf b/grafana/non-prod/terraform/output.tf
new file mode 100644
index 000000000..690434fd4
--- /dev/null
+++ b/grafana/non-prod/terraform/output.tf
@@ -0,0 +1,52 @@
+############################################################
+
+# outputs.tf
+
+output "alb_hostname" {
+  value = "${aws_alb.main.dns_name}:3000"
+}
+
+output "ecs_cluster_id" {
+  description = "The ID of the ECS cluster"
+  value       = aws_ecs_cluster.main.id
+}
+
+output "ecs_service_name" {
+  description = "The name of the ECS service"
+  value       = aws_ecs_service.main.name
+}
+
+output "ecs_task_definition_arn" {
+  description = "The ARN of the ECS task definition"
+  value       = aws_ecs_task_definition.app.arn
+}
+
+output "ecs_task_definition_family" {
+  description = "The family of the ECS task definition"
+  value       = aws_ecs_task_definition.app.family
+}
+
+output "ecs_task_definition_revision" {
+  description = "The revision of the ECS task definition"
+  value       = aws_ecs_task_definition.app.revision
+}
+
+output "load_balancer_dns" {
+  description = "The DNS name of the load balancer"
+  value       = aws_alb.main.dns_name
+}
+
+// output the url to access the grafana app
+output "grafana_url" {
+  value = "http://${aws_alb.main.dns_name}:${var.app_port}"
+}
+
+output "alb_target_group_arn" {
+  description = "The ARN of the ALB target group"
+  value       = aws_alb_target_group.app.arn
+}
+
+output "alb_listener_arn" {
+  description = "The ARN of the ALB listener"
+  value       = aws_alb_listener.front_end.arn
+}
\ No newline at end of file
diff --git a/grafana/non-prod/terraform/templates/ecs/grafana_app.json.tpl b/grafana/non-prod/terraform/templates/ecs/grafana_app.json.tpl
new file mode 100644
index 000000000..1519b71ed
--- /dev/null
+++ b/grafana/non-prod/terraform/templates/ecs/grafana_app.json.tpl
@@ -0,0 +1,31 @@
+[
+  {
+    "name": "grafana-app",
+    "image": "${app_image}",
+    "cpu": ${fargate_cpu},
+    "memory": ${fargate_memory},
+    "networkMode": "awsvpc",
+    "logConfiguration": {
+        "logDriver": "awslogs",
+        "options": {
+          "awslogs-create-group": "true",
+          "awslogs-group": "${log_group}",
+          "awslogs-region": "${aws_region}",
+          "awslogs-stream-prefix": "ecs"
+        }
+    },
+    "portMappings": [
+      {
+        "containerPort": ${app_port},
+        "hostPort": ${app_port}
+      }
+    ],
+    "healthCheck": {
+      "command": ["CMD-SHELL", "curl -f http://localhost:${app_port}${health_check_path} || exit 1"],
+      "interval": 30,
+      "timeout": 5,
+      "retries": 3,
+      "startPeriod": 60
+    }
+  }
+]
\ No newline at end of file
diff --git a/grafana/non-prod/terraform/terraform.tfvars b/grafana/non-prod/terraform/terraform.tfvars
new file mode 100644
index 000000000..80e9d5a9c
--- /dev/null
+++ b/grafana/non-prod/terraform/terraform.tfvars
@@ -0,0 +1,27 @@
+aws_region = "eu-west-2"
+
+ecs_auto_scale_role_name = "EcsAutoScaleRole"
+
+az_count = 2
+
+app_port = 3000
+
+app_count = 1
+
+health_check_path = "/api/health"
+
+fargate_cpu = 1024
+
+fargate_memory = 2048
+
+cidr_block = "10.0.0.0/16"
+
+prefix = "imms-fhir-api-grafana"
+
+app_version = "11.0.0-22.04_stable"
+
+log_group = "/ecs/imms-fhir-api-grafana"
+
+use_natgw = true
+
+environment = "non-prod"
\ No newline at end of file
diff --git a/grafana/non-prod/terraform/variables.tf b/grafana/non-prod/terraform/variables.tf
new file mode 100644
index 000000000..186f4ba0c
--- /dev/null
+++ b/grafana/non-prod/terraform/variables.tf
@@ -0,0 +1,78 @@
+variable "aws_region" {
+    description = "Destination AWS region"
+}
+
+variable "ecs_auto_scale_role_name" {
+    description = "ECS auto scale role name"
+}
+
+variable "az_count" {
+    description = "Number of AZs to cover in a given region"
+    default     = 2
+}
+
+variable "app_version" {
+    description = "Version of the Docker image to run in the ECS cluster"
+    default     = "11.0.0-22.04_stable"
+}
+
+variable "app_port" {
+    description = "Port exposed by the docker image to redirect traffic to"
+}
+
+variable "app_count" {
+    description = "Number of docker containers to run"
+}
+
+variable "health_check_path" {
+    description = "Health check path for the ALB"
+}
+
+variable "fargate_cpu" {
+    description = "Fargate instance CPU units to provision (1 vCPU = 1024 CPU units)"
+}
+
+variable "fargate_memory" {
+    description = "Fargate instance memory to provision (in MiB)"
+}
+
+variable "cidr_block" {
+    description = "CIDR block for the VPC"
+}
+
+variable "log_group" {
+    description = "CloudWatch log group name"
+}
+
+variable "use_natgw" {
+    description = "Boolean to determine whether to use the NAT Gateway module"
+    type        = bool
+    default     = true
+}
+
+variable "environment" {
+    description = "Environment to deploy to"
+}
+
+variable "prefix" {
+    description = "Prefix for all resources"
+}
+
+variable "tags" {
+    description = "A map of tags to add to all resources"
+    type        = map(string)
+    default     = {}
+}
+
+locals {
+    account_id = data.aws_caller_identity.current.account_id
+    app_image  = "${local.account_id}.dkr.ecr.${var.aws_region}.amazonaws.com/${var.prefix}:${var.app_version}"
+    tags = {
+        Environment = var.environment
+        Project     = var.prefix
+    }
+}
+
+output "app_image" {
+    value = local.app_image
+}
\ No newline at end of file
diff --git a/grafana/non-prod/terraform/vpce/variables.tf b/grafana/non-prod/terraform/vpce/variables.tf
new file mode 100644
index 000000000..d6d430529
--- /dev/null
+++ b/grafana/non-prod/terraform/vpce/variables.tf
@@ -0,0 +1,34 @@
+variable "aws_region" {
+    description = "Destination AWS region"
+}
+
+variable "tags" {
+  description = "A map of tags to add to all resources"
+  type        = map(string)
+  default     = {}
+}
+
+variable "prefix" {
+  description = "Prefix for all resources"
+}
+
+variable "private_subnet_ids" {
+  description = "IDs of the private subnets"
+  type        = list(string)
+}
+
+variable "vpc_id" {
+  description = "ID of the VPC"
+  type        = string
+}
+
+variable "ecs_sg_id" {
+  description = "ID of the ECS security group"
+  type        = string
+}
+
+# variable to hold aws_route_table.private[*].id
+variable "route_table_ids" {
+  description = "IDs of the route tables"
+  type        = list(string)
+}
diff --git a/grafana/non-prod/terraform/vpce/vpce.tf b/grafana/non-prod/terraform/vpce/vpce.tf
new file mode 100644
index 000000000..3c7f78156
--- /dev/null
+++ b/grafana/non-prod/terraform/vpce/vpce.tf
@@ -0,0 +1,77 @@
+# vpce.tf
+# VPCE alternative to NAT Gateway
+# VPC Endpoint for ECR API
+resource "aws_vpc_endpoint" "ecr_api" {
+    vpc_id            = var.vpc_id
+    service_name      = "com.amazonaws.${var.aws_region}.ecr.api"
+    vpc_endpoint_type = "Interface"
+    subnet_ids        = var.private_subnet_ids
+    security_group_ids = [aws_security_group.vpc_endpoints.id]
+    # allow for dns resolution
+    private_dns_enabled = true
+    tags = merge(var.tags, {
+        Name = "${var.prefix}-ecr-api-vpce"
+    })
+}
+
+# VPC Endpoint for ECR Docker
+resource "aws_vpc_endpoint" "ecr_docker" {
+    vpc_id            = var.vpc_id
+    service_name      = "com.amazonaws.${var.aws_region}.ecr.dkr"
+    vpc_endpoint_type = "Interface"
+    subnet_ids        = var.private_subnet_ids
+    security_group_ids = [aws_security_group.vpc_endpoints.id]
+    # allow for dns resolution
+    private_dns_enabled = true
+    tags = merge(var.tags, {
+        Name = "${var.prefix}-ecr-dkr-vpce"
+    })
+}
+
+# VPC Endpoint for CloudWatch Logs
+resource "aws_vpc_endpoint" "cloudwatch_logs" {
+    vpc_id            = var.vpc_id
+    service_name      = "com.amazonaws.${var.aws_region}.logs"
+    vpc_endpoint_type = "Interface"
+    subnet_ids        = var.private_subnet_ids
+    security_group_ids = [aws_security_group.vpc_endpoints.id]
+    private_dns_enabled = true
+    tags = merge(var.tags, {
+        Name = "${var.prefix}-cloudwatch-logs-vpce"
+    })
+}
+
+# VPC Endpoint for S3 as ECR stores image layers in S3
+resource "aws_vpc_endpoint" "s3" {
+    vpc_id            = var.vpc_id
+    service_name      = "com.amazonaws.${var.aws_region}.s3"
+    vpc_endpoint_type = "Gateway"
+    route_table_ids   = var.route_table_ids
+    tags = merge(var.tags, {
+        Name = "${var.prefix}-s3-vpce"
+    })
+}
+
+# Security group for VPC endpoints
+resource "aws_security_group" "vpc_endpoints" {
+  name        = "vpc-endpoints-sg"
+  description = "Security group for VPC endpoints"
+  vpc_id      = var.vpc_id
+
+  ingress {
+    from_port   = 443
+    to_port     = 443
+    protocol    = "tcp"
+    security_groups = [var.ecs_sg_id] 
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+  tags = merge(var.tags, {
+    Name = "${var.prefix}-vpc-endpoints-sg"
+  })
+}
\ No newline at end of file