diff --git a/infrastructure/.gitignore b/infrastructure/.gitignore
index d49ee98d..3e8d0394 100644
--- a/infrastructure/.gitignore
+++ b/infrastructure/.gitignore
@@ -28,3 +28,4 @@ override.tf.json
 # Ignore CLI configuration files
 .terraformrc
 terraform.rc
+.terraform.lock.hcl
diff --git a/infrastructure/environments/poc/variables.sh b/infrastructure/environments/poc/variables.sh
index 83cecc05..f3b37dd9 100644
--- a/infrastructure/environments/poc/variables.sh
+++ b/infrastructure/environments/poc/variables.sh
@@ -3,7 +3,7 @@ ENV_CONFIG=poc
 AZURE_SUBSCRIPTION="Lung Cancer Screening - Dev"
 HUB_SUBSCRIPTION="Lung Cancer Screening - Dev"
 STORAGE_ACCOUNT_RG=rg-tfstate-poc-uks
-TERRAFORM_MODULES_REF=main
+TERRAFORM_MODULES_REF=feat/public-container-app-env
 ENABLE_SOFT_DELETE=false
 DOCKER_IMAGE=docker.io/nginxdemos/hello
 DOCKER_IMAGE_TAG=latest
diff --git a/infrastructure/environments/poc/variables.tfvars b/infrastructure/environments/poc/variables.tfvars
index 8c55e584..31233e81 100644
--- a/infrastructure/environments/poc/variables.tfvars
+++ b/infrastructure/environments/poc/variables.tfvars
@@ -1,10 +1,10 @@
-features                              = {
+deploy_database_as_container = true
+features = {
   front_door         = false
   hub_and_spoke      = false
   private_networking = false
 }
 postgres_backup_retention_days        = 7
 postgres_geo_redundant_backup_enabled = false
-private_networking                    = false
 protect_keyvault                      = false
 vnet_address_space                    = "10.65.0.0/16"
diff --git a/infrastructure/environments/poc/variables.yml b/infrastructure/environments/poc/variables.yml
new file mode 100644
index 00000000..ab403b92
--- /dev/null
+++ b/infrastructure/environments/poc/variables.yml
@@ -0,0 +1 @@
+EXAMPLE_KEY: example_value
diff --git a/infrastructure/modules/container-apps/data.tf b/infrastructure/modules/container-apps/data.tf
new file mode 100644
index 00000000..4c90b849
--- /dev/null
+++ b/infrastructure/modules/container-apps/data.tf
@@ -0,0 +1,32 @@
+data "azurerm_client_config" "current" {}
+
+# data "azuread_group" "postgres_sql_admin_group" {
+#   display_name = var.postgres_sql_admin_group
+# }
+
+data "azurerm_private_dns_zone" "storage" {
+  count = var.features.private_networking ? 1 : 0
+
+  provider = azurerm.hub
+
+  name                = "privatelink.blob.core.windows.net"
+  resource_group_name = "rg-hub-${var.hub}-uks-private-dns-zones"
+}
+
+data "azurerm_private_dns_zone" "storage-account-blob" {
+  count = var.features.private_networking ? 1 : 0
+
+  provider = azurerm.hub
+
+  name                = "privatelink.blob.core.windows.net"
+  resource_group_name = "rg-hub-${var.hub}-uks-private-dns-zones"
+}
+
+data "azurerm_private_dns_zone" "storage-account-queue" {
+  count = var.features.private_networking ? 1 : 0
+
+  provider = azurerm.hub
+
+  name                = "privatelink.queue.core.windows.net"
+  resource_group_name = "rg-hub-${var.hub}-uks-private-dns-zones"
+}
diff --git a/infrastructure/modules/container-apps/front_door.tf b/infrastructure/modules/container-apps/front_door.tf
new file mode 100644
index 00000000..c99dc67e
--- /dev/null
+++ b/infrastructure/modules/container-apps/front_door.tf
@@ -0,0 +1,45 @@
+data "azurerm_cdn_frontdoor_profile" "this" {
+  count = var.features.front_door ? 1 : 0
+
+  provider = azurerm.hub
+
+  name                = var.front_door_profile
+  resource_group_name = "rg-hub-${var.hub}-uks-${var.app_short_name}"
+}
+
+module "frontdoor_endpoint" {
+  count = var.features.front_door ? 1 : 0
+
+  source = "../dtos-devops-templates/infrastructure/modules/cdn-frontdoor-endpoint"
+
+  providers = {
+    azurerm     = azurerm.hub # Each project's Front Door profile (with secrets) resides in Hub since it's shared infra with a Non-live/Live deployment pattern
+    azurerm.dns = azurerm.hub
+  }
+
+  cdn_frontdoor_profile_id = data.azurerm_cdn_frontdoor_profile.this[0].id
+  custom_domains = {
+    "${var.environment}-domain" = {
+      host_name        = local.hostname # For prod it must be equal to the dns_zone_name to use apex
+      dns_zone_name    = var.dns_zone_name
+      dns_zone_rg_name = "rg-hub-${var.hub}-uks-public-dns-zones"
+    }
+  }
+  name = var.environment # environment-specific to avoid naming collisions within a Front Door Profile
+
+  origins = {
+    "${var.environment}-origin" = {
+      hostname           = module.webapp.fqdn
+      origin_host_header = module.webapp.fqdn
+      private_link = {
+        target_type            = "managedEnvironments"
+        location               = var.region
+        private_link_target_id = var.container_app_environment_id
+      }
+    }
+  }
+  route = {
+    https_redirect_enabled = true
+    supported_protocols    = ["Http", "Https"]
+  }
+}
diff --git a/infrastructure/modules/container-apps/main.tf b/infrastructure/modules/container-apps/main.tf
new file mode 100644
index 00000000..92e9f948
--- /dev/null
+++ b/infrastructure/modules/container-apps/main.tf
@@ -0,0 +1,34 @@
+resource "azurerm_resource_group" "main" {
+  name     = local.resource_group_name
+  location = var.region
+}
+
+module "webapp" {
+  source = "../dtos-devops-templates/infrastructure/modules/container-app"
+
+  providers = {
+    azurerm     = azurerm
+    azurerm.hub = azurerm.hub
+  }
+
+  name                             = "${var.app_short_name}-web-${var.environment}"
+  container_app_environment_id     = var.container_app_environment_id
+  resource_group_name              = azurerm_resource_group.main.name
+  fetch_secrets_from_app_key_vault = var.fetch_secrets_from_app_key_vault
+  infra_key_vault_name             = "kv-${var.app_short_name}-${var.env_config}-inf"
+  infra_key_vault_rg               = "rg-${var.app_short_name}-${var.env_config}-infra"
+  enable_auth                      = var.enable_auth
+  app_key_vault_id                 = var.app_key_vault_id
+  docker_image                     = var.docker_image
+  user_assigned_identity_ids       = var.deploy_database_as_container ? [] : [module.db_connect_identity[0].id]
+  environment_variables = merge(
+    local.common_env,
+    {
+      ALLOWED_HOSTS = "${var.app_short_name}-web-${var.environment}.${var.default_domain}"
+    },
+    var.deploy_database_as_container ? local.container_db_env : local.azure_db_env
+  )
+  secret_variables = var.deploy_database_as_container ? { DATABASE_PASSWORD = resource.random_password.admin_password[0].result } : {}
+  is_web_app       = true
+  port             = 80
+}
diff --git a/infrastructure/modules/container-apps/output.tf b/infrastructure/modules/container-apps/output.tf
new file mode 100644
index 00000000..15d19fe0
--- /dev/null
+++ b/infrastructure/modules/container-apps/output.tf
@@ -0,0 +1,7 @@
+output "internal_url" {
+  value = module.webapp.url
+}
+
+output "external_url" {
+  value = var.features.front_door ? "https://${module.frontdoor_endpoint.custom_domains["${var.environment}-domain"].host_name}/" : null
+}
diff --git a/infrastructure/modules/container-apps/postgres.tf b/infrastructure/modules/container-apps/postgres.tf
new file mode 100644
index 00000000..eaa42924
--- /dev/null
+++ b/infrastructure/modules/container-apps/postgres.tf
@@ -0,0 +1,100 @@
+data "azurerm_private_dns_zone" "postgres" {
+  count = var.features.private_networking ? 1 : 0
+
+  provider = azurerm.hub
+
+  name                = "privatelink.postgres.database.azure.com"
+  resource_group_name = "rg-hub-${var.hub}-uks-private-dns-zones"
+}
+
+# Don't deploy if deploy_database_as_container is true
+module "postgres" {
+  count = var.deploy_database_as_container ? 0 : 1
+
+  source = "../dtos-devops-templates/infrastructure/modules/postgresql-flexible"
+
+  # postgresql Server
+  name                = "postgres-${var.app_short_name}-${var.environment}-uks"
+  resource_group_name = azurerm_resource_group.main.name
+  location            = var.region
+
+  backup_retention_days           = var.postgres_backup_retention_days
+  geo_redundant_backup_enabled    = var.postgres_geo_redundant_backup_enabled
+  postgresql_admin_object_id      = "" #data.azuread_group.postgres_sql_admin_group.object_id
+  postgresql_admin_principal_name = var.postgres_sql_admin_group
+  postgresql_admin_principal_type = "Group"
+  administrator_login             = local.database_user
+  admin_identities                = [module.db_connect_identity[0]]
+
+  # Diagnostic Settings
+  log_analytics_workspace_id                                = var.log_analytics_workspace_audit_id
+  monitor_diagnostic_setting_postgresql_server_enabled_logs = ["PostgreSQLLogs", "PostgreSQLFlexSessions", "PostgreSQLFlexQueryStoreRuntime", "PostgreSQLFlexQueryStoreWaitStats", "PostgreSQLFlexTableStats", "PostgreSQLFlexDatabaseXacts"]
+  monitor_diagnostic_setting_postgresql_server_metrics      = ["AllMetrics"]
+
+  sku_name     = var.postgres_sku_name
+  storage_mb   = var.postgres_storage_mb
+  storage_tier = var.postgres_storage_tier
+
+  server_version = "16"
+  tenant_id      = data.azurerm_client_config.current.tenant_id
+
+  private_endpoint_properties = var.features.private_networking ? {
+    private_dns_zone_ids_postgresql      = [data.azurerm_private_dns_zone.postgres[0].id]
+    private_endpoint_enabled             = true
+    private_endpoint_subnet_id           = var.postgres_subnet_id
+    private_endpoint_resource_group_name = azurerm_resource_group.main.name
+    private_service_connection_is_manual = false
+  } : null
+
+  databases = {
+    db1 = {
+      collation   = "en_US.utf8"
+      charset     = "UTF8"
+      max_size_gb = 10
+      name        = local.database_name
+    }
+  }
+
+  tags = {}
+}
+
+module "db_connect_identity" {
+  count = var.deploy_database_as_container ? 0 : 1
+
+  source              = "../dtos-devops-templates/infrastructure/modules/managed-identity"
+  resource_group_name = azurerm_resource_group.main.name
+  location            = var.region
+  uai_name            = "mi-${var.app_short_name}-${var.environment}-db-connect"
+}
+
+resource "random_password" "admin_password" {
+  count = var.deploy_database_as_container ? 1 : 0
+
+  length           = 30
+  special          = true
+  override_special = "!@#$%^&*()-_=+"
+}
+
+module "database_container" {
+  count = var.deploy_database_as_container ? 1 : 0
+
+  providers = {
+    azurerm     = azurerm
+    azurerm.hub = azurerm.hub
+  }
+
+  source                       = "../dtos-devops-templates/infrastructure/modules/container-app"
+  name                         = "${var.app_short_name}-db-${var.environment}"
+  container_app_environment_id = var.container_app_environment_id
+  docker_image                 = "postgres:16"
+  secret_variables             = var.deploy_database_as_container ? { POSTGRES_PASSWORD = resource.random_password.admin_password[0].result } : {}
+  environment_variables = {
+    POSTGRES_USER = local.database_user
+    POSTGRES_DB   = local.database_name
+  }
+  resource_group_name = azurerm_resource_group.main.name
+  is_tcp_app          = true
+  # postgres has a port of 5432
+  port         = 5432
+  exposed_port = local.database_port
+}
diff --git a/infrastructure/modules/container-apps/providers.tf b/infrastructure/modules/container-apps/providers.tf
new file mode 100644
index 00000000..63db07d5
--- /dev/null
+++ b/infrastructure/modules/container-apps/providers.tf
@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    azurerm = {
+      source                = "hashicorp/azurerm"
+      configuration_aliases = [azurerm.hub]
+    }
+  }
+}
diff --git a/infrastructure/modules/container-apps/storage.tf b/infrastructure/modules/container-apps/storage.tf
new file mode 100644
index 00000000..1f9ac80d
--- /dev/null
+++ b/infrastructure/modules/container-apps/storage.tf
@@ -0,0 +1,53 @@
+module "azure_blob_storage_identity" {
+  source              = "../dtos-devops-templates/infrastructure/modules/managed-identity"
+  resource_group_name = azurerm_resource_group.main.name
+  location            = var.region
+  uai_name            = "mi-${var.app_short_name}-${var.environment}-blob-storage"
+}
+
+module "azure_queue_storage_identity" {
+  source              = "../dtos-devops-templates/infrastructure/modules/managed-identity"
+  resource_group_name = azurerm_resource_group.main.name
+  location            = var.region
+  uai_name            = "mi-${var.app_short_name}-${var.environment}-queue-storage"
+}
+
+module "storage" {
+  source = "../dtos-devops-templates/infrastructure/modules/storage"
+
+  containers                 = local.storage_containers
+  location                   = var.region
+  log_analytics_workspace_id = var.log_analytics_workspace_audit_id
+
+  monitor_diagnostic_setting_storage_account_enabled_logs = ["StorageWrite", "StorageRead", "StorageDelete"]
+  monitor_diagnostic_setting_storage_account_metrics      = ["AllMetrics"]
+
+  name = replace(lower(local.storage_account_name), "-", "")
+
+  private_endpoint_properties = var.features.private_networking ? {
+    private_dns_zone_ids_blob            = [data.azurerm_private_dns_zone.storage-account-blob[0].id]
+    private_dns_zone_ids_queue           = [data.azurerm_private_dns_zone.storage-account-queue[0].id]
+    private_endpoint_enabled             = true
+    private_endpoint_subnet_id           = var.main_subnet_id
+    private_endpoint_resource_group_name = azurerm_resource_group.main.name
+    private_service_connection_is_manual = false
+  } : null
+  queues              = local.storage_queues
+  resource_group_name = azurerm_resource_group.main.name
+}
+
+module "blob_storage_role_assignment" {
+  source               = "../dtos-devops-templates/infrastructure/modules/rbac-assignment"
+  principal_id         = module.azure_blob_storage_identity.principal_id
+  role_definition_name = "Storage Blob Data Contributor"
+  scope                = module.storage.storage_account_id
+  depends_on           = [module.storage, module.azure_blob_storage_identity]
+}
+
+module "queue_storage_role_assignment" {
+  source               = "../dtos-devops-templates/infrastructure/modules/rbac-assignment"
+  principal_id         = module.azure_queue_storage_identity.principal_id
+  role_definition_name = "Storage Queue Data Contributor"
+  scope                = module.storage.storage_account_id
+  depends_on           = [module.storage, module.azure_queue_storage_identity]
+}
diff --git a/infrastructure/modules/container-apps/variables.tf b/infrastructure/modules/container-apps/variables.tf
new file mode 100644
index 00000000..e479533b
--- /dev/null
+++ b/infrastructure/modules/container-apps/variables.tf
@@ -0,0 +1,186 @@
+variable "api_oauth_token_url" {
+  description = "The OAuth API endpoint URL used to request client credentials for NHS Notify API"
+  type        = string
+  default     = null
+}
+
+variable "app_key_vault_id" {
+  description = "Application key vault ID"
+  type        = string
+}
+
+variable "app_short_name" {
+  description = "Application short name (6 characters)"
+  type        = string
+}
+
+variable "container_app_environment_id" {
+  description = "The ID of the container app environment where container apps are deployed"
+  type        = string
+}
+
+variable "default_domain" {
+  description = "The container app environment default domain"
+  type        = string
+}
+
+variable "dns_zone_name" {
+  description = "Public DNS zone name"
+  type        = string
+  default     = ""
+}
+
+variable "docker_image" {
+  description = "Docker image full path including registry, repository and tag"
+  type        = string
+}
+
+variable "enable_auth" {
+  description = "Enable authentication for the container app. If true, the app will use Azure AD authentication."
+  type        = bool
+}
+
+variable "env_config" {
+  description = "Environment configuration. Different environments may share the same environment config and the same infrastructure"
+  type        = string
+}
+
+variable "environment" {
+  description = "Application environment name"
+  type        = string
+}
+
+variable "features" {
+  description = "Feature flags for the deployment"
+  type = object({
+    front_door         = optional(bool, true)
+    hub_and_spoke      = optional(bool, true)
+    private_networking = optional(bool, true)
+  })
+}
+
+variable "fetch_secrets_from_app_key_vault" {
+  description = <<EOT
+    Set to false initially to create and populate the app key vault.
+
+    Then set to true to let the container app read secrets from the key vault."
+    EOT
+  type        = bool
+}
+
+variable "front_door_profile" {
+  description = "Name of the front door profile created for this application in the hub subscription"
+  type        = string
+}
+
+variable "hub" {
+  description = "Hub name (dev or prod)"
+  type        = string
+}
+
+variable "log_analytics_workspace_audit_id" {
+  description = "Log analytics workspace audit ID"
+  type        = string
+}
+
+variable "deploy_database_as_container" {
+  description = "Whether to deploy the database as a container or as an Azure postgres flexible server."
+  type        = bool
+}
+
+variable "postgres_backup_retention_days" {
+  description = "The number of days to retain backups for the PostgreSQL Flexible Server."
+  type        = number
+}
+
+variable "postgres_geo_redundant_backup_enabled" {
+  description = "Whether geo-redundant backup is enabled for the PostgreSQL Flexible Server."
+  type        = bool
+}
+
+variable "postgres_sku_name" {
+  description = "Value of the PostgreSQL Flexible Server SKU name"
+  type        = string
+}
+
+variable "postgres_sql_admin_group" {
+  description = "Entra ID group which is granted admin access to the PostgreSQL Flexible Server."
+  type        = string
+}
+
+variable "postgres_storage_mb" {
+  description = "Value of the PostgreSQL Flexible Server storage in MB"
+  type        = number
+}
+
+variable "postgres_storage_tier" {
+  description = "Value of the PostgreSQL Flexible Server storage tier"
+  type        = string
+}
+
+variable "postgres_subnet_id" {
+  description = "The postgres subnet id. Created in the infra module."
+  type        = string
+}
+
+variable "main_subnet_id" {
+  description = "The main subnet id. Created in the infra module."
+  type        = string
+}
+
+variable "region" {
+  description = "The region to deploy in"
+  type        = string
+}
+
+variable "seed_demo_data" {
+  description = "Whether or not to seed the demo data in the database."
+  type        = bool
+  default     = false
+}
+
+variable "use_apex_domain" {
+  description = "Use apex domain for the Front Door endpoint. Set to true for production."
+  type        = bool
+}
+
+
+locals {
+  resource_group_name = "rg-${var.app_short_name}-${var.environment}-container-app-uks"
+
+  hostname = var.use_apex_domain ? var.dns_zone_name : "${var.environment}.${var.dns_zone_name}"
+
+  database_user = "admin"
+  database_name = "lung_cancer_screening"
+  # Here we expect the environment to be in format pr-XXX. For example PR 1234 would have environment pr-1234 and port 2234
+  database_port = var.deploy_database_as_container && var.env_config == "review" ? tonumber(regex("\\d+", var.environment)) + 1000 : 5432
+
+  env_vars_from_yaml = yamldecode(
+    file("${path.module}/../../environments/${var.env_config}/variables.yml")
+  )
+  common_env = merge(
+    local.env_vars_from_yaml,
+    {
+      SSL_MODE   = "require"
+      DJANGO_ENV = var.env_config
+    }
+  )
+
+  container_db_env = {
+    DATABASE_HOST = var.deploy_database_as_container ? module.database_container[0].container_app_fqdn : null
+    DATABASE_NAME = local.database_name
+    DATABASE_USER = local.database_user
+    DATABASE_PORT = local.database_port
+  }
+
+  azure_db_env = {
+    AZURE_CLIENT_ID = var.deploy_database_as_container ? null : module.db_connect_identity[0].client_id
+    DATABASE_HOST   = var.deploy_database_as_container ? null : module.postgres[0].host
+    DATABASE_NAME   = var.deploy_database_as_container ? null : module.postgres[0].database_names[0]
+    DATABASE_USER   = var.deploy_database_as_container ? null : module.db_connect_identity[0].name
+  }
+
+  storage_account_name = "st${var.app_short_name}${var.environment}uks"
+  storage_containers   = {}
+  storage_queues       = []
+}
diff --git a/infrastructure/modules/infra/main.tf b/infrastructure/modules/infra/main.tf
index 433e21d2..6278de5a 100644
--- a/infrastructure/modules/infra/main.tf
+++ b/infrastructure/modules/infra/main.tf
@@ -46,9 +46,10 @@ module "container-app-environment" {
     azurerm.dns = azurerm.hub
   }
 
-  name                       = "cae-${var.environment}-uks-${var.app_short_name}"
-  resource_group_name        = azurerm_resource_group.main.name
-  log_analytics_workspace_id = module.log_analytics_workspace_audit.id
-  vnet_integration_subnet_id = module.container_app_subnet.id
-  private_dns_zone_rg_name   = var.features.private_networking ? "rg-hub-${var.hub}-uks-private-dns-zones" : null
+  name                           = "cae-${var.environment}-uks-${var.app_short_name}"
+  resource_group_name            = azurerm_resource_group.main.name
+  internal_load_balancer_enabled = var.features.private_networking
+  log_analytics_workspace_id     = module.log_analytics_workspace_audit.id
+  vnet_integration_subnet_id     = module.container_app_subnet.id
+  private_dns_zone_rg_name       = var.features.private_networking ? "rg-hub-${var.hub}-uks-private-dns-zones" : null
 }
diff --git a/infrastructure/modules/infra/networking.tf b/infrastructure/modules/infra/networking.tf
index a777eafd..1a2150ed 100644
--- a/infrastructure/modules/infra/networking.tf
+++ b/infrastructure/modules/infra/networking.tf
@@ -73,12 +73,12 @@ module "peering_spoke_hub" {
 module "peering_hub_spoke" {
   count = var.features.hub_and_spoke ? 1 : 0
 
+  source = "../dtos-devops-templates/infrastructure/modules/vnet-peering"
+
   providers = {
     azurerm = azurerm.hub
   }
 
-  source = "../dtos-devops-templates/infrastructure/modules/vnet-peering"
-
   name                = "hub-to-${module.main_vnet.name}-peering"
   resource_group_name = local.hub_vnet_rg_name
   vnet_name           = data.azurerm_virtual_network.hub[0].name
@@ -125,7 +125,7 @@ module "main_subnet" {
 
 data "azurerm_private_dns_zone" "key-vault" {
   count = var.features.private_networking ? 1 : 0
-  
+
   provider = azurerm.hub
 
   name                = "privatelink.vaultcore.azure.net"
diff --git a/infrastructure/terraform/data.tf b/infrastructure/terraform/data.tf
new file mode 100644
index 00000000..49fb73ff
--- /dev/null
+++ b/infrastructure/terraform/data.tf
@@ -0,0 +1,37 @@
+# Only do these looks ups if we have already deployed the infra code in a previous run, else don't use it
+data "azurerm_container_app_environment" "this" {
+  count = var.deploy_infra ? 0 : 1
+
+  name                = "cae-${var.environment}-uks-${var.app_short_name}"
+  resource_group_name = local.resource_group_name
+}
+
+data "azurerm_key_vault" "app_key_vault" {
+  count = var.deploy_infra ? 0 : 1
+
+  name                = "kv-${var.app_short_name}-${var.env_config}-app"
+  resource_group_name = local.resource_group_name
+}
+
+data "azurerm_log_analytics_workspace" "audit" {
+  count = var.deploy_infra ? 0 : 1
+
+  name                = "law-${var.environment}-uks-${var.app_short_name}"
+  resource_group_name = local.resource_group_name
+}
+
+data "azurerm_subnet" "postgres" {
+  count = var.deploy_infra ? 0 : 1
+
+  name                 = "snet-postgres"
+  virtual_network_name = "vnet-${var.environment}-uks-${var.app_short_name}"
+  resource_group_name  = local.resource_group_name
+}
+
+data "azurerm_subnet" "main" {
+  count = var.deploy_infra ? 0 : 1
+
+  name                 = "snet-main"
+  virtual_network_name = "vnet-${var.environment}-uks-${var.app_short_name}"
+  resource_group_name  = local.resource_group_name
+}
diff --git a/infrastructure/terraform/main.tf b/infrastructure/terraform/main.tf
index 0c7db617..4c1e1954 100644
--- a/infrastructure/terraform/main.tf
+++ b/infrastructure/terraform/main.tf
@@ -18,39 +18,41 @@ module "infra" {
   vnet_address_space  = var.vnet_address_space
 }
 
-# module "container-apps" {
-#   count = var.deploy_container_apps ? 1 : 0
+module "container-apps" {
+  count = var.deploy_container_apps ? 1 : 0
 
-#   source = "../modules/container-apps"
+  source = "../modules/container-apps"
 
-#   providers = {
-#     azurerm     = azurerm
-#     azurerm.hub = azurerm.hub
-#   }
+  providers = {
+    azurerm     = azurerm
+    azurerm.hub = azurerm.hub
+  }
 
-#   region                                = local.region
-#   app_key_vault_id                      = var.deploy_infra ? module.infra[0].app_key_vault_id : data.azurerm_key_vault.app_key_vault[0].id
-#   app_short_name                        = var.app_short_name
-#   container_app_environment_id          = var.deploy_infra ? module.infra[0].container_app_environment_id : data.azurerm_container_app_environment.this[0].id
-#   default_domain                        = var.deploy_infra ? module.infra[0].default_domain : data.azurerm_container_app_environment.this[0].default_domain
-#   dns_zone_name                         = var.dns_zone_name
-#   docker_image                          = var.docker_image
-#   deploy_database_as_container          = var.deploy_database_as_container
-#   enable_auth                           = var.enable_auth
-#   environment                           = var.environment
-#   env_config                            = var.env_config
-#   fetch_secrets_from_app_key_vault      = var.fetch_secrets_from_app_key_vault
-#   front_door_profile                    = var.front_door_profile
-#   hub                                   = var.hub
-#   log_analytics_workspace_audit_id      = var.deploy_infra ? module.infra[0].log_analytics_workspace_audit_id : data.azurerm_log_analytics_workspace.audit[0].id
-#   postgres_backup_retention_days        = var.postgres_backup_retention_days
-#   postgres_geo_redundant_backup_enabled = var.postgres_geo_redundant_backup_enabled
-#   postgres_sku_name                     = var.postgres_sku_name
-#   postgres_sql_admin_group              = "postgres_${var.app_short_name}_${var.env_config}_uks_admin"
-#   postgres_storage_mb                   = var.postgres_storage_mb
-#   postgres_storage_tier                 = var.postgres_storage_tier
-#   postgres_subnet_id                    = var.deploy_infra ? module.infra[0].postgres_subnet_id : data.azurerm_subnet.postgres[0].id
-#   main_subnet_id                        = var.deploy_infra ? module.infra[0].main_subnet_id : data.azurerm_subnet.main[0].id
-#   seed_demo_data                        = var.seed_demo_data
-#   use_apex_domain                       = var.use_apex_domain
-# }
+  region                                = local.region
+  app_key_vault_id                      = var.deploy_infra ? module.infra[0].app_key_vault_id : data.azurerm_key_vault.app_key_vault[0].id
+  app_short_name                        = var.app_short_name
+  container_app_environment_id          = var.deploy_infra ? module.infra[0].container_app_environment_id : data.azurerm_container_app_environment.this[0].id
+  default_domain                        = var.deploy_infra ? module.infra[0].default_domain : data.azurerm_container_app_environment.this[0].default_domain
+  dns_zone_name                         = var.dns_zone_name
+  docker_image                          = var.docker_image
+  deploy_database_as_container          = var.deploy_database_as_container
+  enable_auth                           = var.enable_auth
+  environment                           = var.environment
+  env_config                            = var.env_config
+  features                              = var.features
+  fetch_secrets_from_app_key_vault      = var.fetch_secrets_from_app_key_vault
+  front_door_profile                    = var.front_door_profile
+  hub                                   = var.hub
+  log_analytics_workspace_audit_id      = var.deploy_infra ? module.infra[0].log_analytics_workspace_audit_id : data.azurerm_log_analytics_workspace.audit[0].id
+  postgres_backup_retention_days        = var.postgres_backup_retention_days
+  postgres_geo_redundant_backup_enabled = var.postgres_geo_redundant_backup_enabled
+  postgres_sku_name                     = var.postgres_sku_name
+  #  postgres_sql_admin_group              = "postgres_${var.app_short_name}_${var.env_config}_uks_admin"
+  postgres_sql_admin_group = "Azure-Lung-Cancer-Screening---Dev-Owner"
+  postgres_storage_mb      = var.postgres_storage_mb
+  postgres_storage_tier    = var.postgres_storage_tier
+  postgres_subnet_id       = var.deploy_infra ? module.infra[0].postgres_subnet_id : data.azurerm_subnet.postgres[0].id
+  main_subnet_id           = var.deploy_infra ? module.infra[0].main_subnet_id : data.azurerm_subnet.main[0].id
+  seed_demo_data           = var.seed_demo_data
+  use_apex_domain          = var.use_apex_domain
+}
diff --git a/infrastructure/terraform/variables.tf b/infrastructure/terraform/variables.tf
index 9eed6e28..109745ca 100644
--- a/infrastructure/terraform/variables.tf
+++ b/infrastructure/terraform/variables.tf
@@ -97,12 +97,6 @@ variable "postgres_storage_tier" {
   type        = string
 }
 
-variable "private_networking" {
-  description = "The region to deploy in"
-  type        = string
-  default     = true
-}
-
 variable "enable_auth" {
   description = "Enable authentication for the container app. If true, the app will use Azure AD authentication."
   type        = bool
@@ -118,7 +112,7 @@ variable "use_apex_domain" {
 variable "dns_zone_name" {
   description = "Value of the DNS zone name to use for the Front Door endpoint"
   type        = string
-  default     = null
+  default     = ""
 }
 
 variable "features" {
@@ -143,6 +137,6 @@ variable "seed_demo_data" {
 }
 
 locals {
-  region = "uksouth"
+  region              = "uksouth"
   resource_group_name = "rg-${var.app_short_name}-${var.env_config}-uks"
 }
diff --git a/scripts/terraform/terraform.mk b/scripts/terraform/terraform.mk
index 7cb07da2..004b7bf9 100644
--- a/scripts/terraform/terraform.mk
+++ b/scripts/terraform/terraform.mk
@@ -1,4 +1,3 @@
-DOCKER_IMAGE=
 REGION=UK South
 APP_SHORT_NAME=lungcs