diff --git a/.github/workflows/deploy-qa.yml b/.github/workflows/deploy-qa.yml
index 2db441a8..ab0d2b49 100644
--- a/.github/workflows/deploy-qa.yml
+++ b/.github/workflows/deploy-qa.yml
@@ -20,6 +20,12 @@ jobs:
         env:
           HUSKY: "0"
 
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v2
+        with:
+          terraform_version: 1.12.2
+
+
       - name: Set up Node
         uses: actions/setup-node@v4
         with:
@@ -102,6 +108,11 @@ jobs:
           node-version: 22.x
           cache: "yarn"
 
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v2
+        with:
+          terraform_version: 1.12.2
+
       - name: Restore Yarn Cache
         uses: actions/cache@v4
         with:
diff --git a/.vscode/extensions.json b/.vscode/extensions.json
index 68614859..2c09cfc8 100644
--- a/.vscode/extensions.json
+++ b/.vscode/extensions.json
@@ -4,6 +4,7 @@
         "rvest.vs-code-prettier-eslint",
         "eamodio.gitlens",
         "ms-vscode.makefile-tools",
-        "amazonwebservices.aws-toolkit-vscode"
+        "amazonwebservices.aws-toolkit-vscode",
+        "hashicorp.terraform"
     ]
 }
diff --git a/Makefile b/Makefile
index 0802cdbc..b89a1867 100644
--- a/Makefile
+++ b/Makefile
@@ -90,12 +90,17 @@ postdeploy:
 
 deploy_prod: check_account_prod
 	@echo "Deploying CloudFormation stack..."
+	terraform -chdir=terraform/envs/prod apply -auto-approve
+	terraform -chdir=terraform/envs/prod init
 	sam deploy $(common_params) --parameter-overrides $(run_env)=prod $(set_application_prefix)=$(application_key) $(set_application_name)="$(application_name)" S3BucketPrefix="$(s3_bucket_prefix)"
 	make postdeploy
 
 deploy_dev: check_account_dev
 	@echo "Deploying CloudFormation stack..."
 	sam deploy $(common_params) --parameter-overrides $(run_env)=dev $(set_application_prefix)=$(application_key) $(set_application_name)="$(application_name)" S3BucketPrefix="$(s3_bucket_prefix)"
+	@echo "Deploying Terraform..."
+	terraform -chdir=terraform/envs/qa init
+	terraform -chdir=terraform/envs/qa apply -auto-approve
 	make postdeploy
 
 invalidate_cloudfront:
@@ -114,6 +119,8 @@ invalidate_cloudfront:
 install:
 	yarn -D
 	pip install cfn-lint
+	terraform -chdir=terraform/envs/qa init
+	terraform -chdir=terraform/envs/prod init
 
 test_live_integration: install
 	yarn test:live
@@ -121,6 +128,10 @@ test_live_integration: install
 test_unit: install
 	yarn lint
 	cfn-lint cloudformation/**/*
+	terraform -chdir=terraform/envs/qa fmt -check
+	terraform -chdir=terraform/envs/prod fmt -check
+	terraform -chdir=terraform/envs/qa validate
+	terraform -chdir=terraform/envs/prod validate
 	yarn prettier
 	yarn test:unit
 
diff --git a/cloudformation/logs.yml b/cloudformation/logs.yml
index dc9be9b1..7e7ed8f6 100644
--- a/cloudformation/logs.yml
+++ b/cloudformation/logs.yml
@@ -10,6 +10,8 @@ Parameters:
 Resources:
   AppApiLambdaLogGroup:
     Type: AWS::Logs::LogGroup
+    DeletionPolicy: Retain
+    UpdateReplacePolicy: Retain
     Properties:
       LogGroupName:
         Fn::Sub: /aws/lambda/${LambdaFunctionName}
diff --git a/terraform/.gitignore b/terraform/.gitignore
new file mode 100644
index 00000000..8b2acfa7
--- /dev/null
+++ b/terraform/.gitignore
@@ -0,0 +1,82 @@
+# OSX leaves these everywhere on SMB shares
+._*
+
+# OSX trash
+.DS_Store
+
+# Python
+*.pyc
+
+# Emacs save files
+*~
+\#*\#
+.\#*
+
+# Vim-related files
+[._]*.s[a-w][a-z]
+[._]s[a-w][a-z]
+*.un~
+Session.vim
+.netrwhist
+
+### https://raw.github.com/github/gitignore/90f149de451a5433aebd94d02d11b0e28843a1af/Terraform.gitignore
+
+# Local .terraform directories
+**/.terraform*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Local tfvars terraform.tfvars
+**/*.tfvars
+
+# tf lock file
+**/.terraform.lock.hcl
+
+# Crash log files
+crash.log
+
+# Ignore any .tfvars files that are generated automatically for each Terraform run. Most
+# .tfvars files are managed as part of configuration and so should be included in
+# version control.
+#
+# example.tfvars
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+.idea/
+.vscode/
+# Kitchen files
+**/inspec.lock
+**.gem
+**/.kitchen
+**/.kitchen.local.yml
+**/Gemfile.lock
+# Plan files
+**/tmp_plan
+**/.tmp
+**/tmp
+
+test/fixtures/shared/terraform.tfvars
+
+test/integration/gcloud/config.sh
+test/integration/tmp
+
+credentials.json
+
+helpers/foundation-deployer/foundation-deployer
+helpers/foundation-deployer/.steps.json
+
+# File to populate env vars used by Docker test runs
+.envrc
+
+# Handle files generated on sed command by old (2013-) MacOS versions
+*.tf-e
+
+# Go multi-module workspace sum
+go.work.sum
diff --git a/terraform/envs/prod/main.tf b/terraform/envs/prod/main.tf
new file mode 100644
index 00000000..72b2fddf
--- /dev/null
+++ b/terraform/envs/prod/main.tf
@@ -0,0 +1,28 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.92"
+    }
+  }
+
+  required_version = ">= 1.2"
+}
+
+provider "aws" {
+  region = "us-east-1"
+  default_tags {
+    tags = {
+      project = var.ProjectId
+    }
+  }
+}
+
+import {
+  to = aws_cloudwatch_log_group.main_app_logs
+  id = "/aws/lambda/${var.ProjectId}-lambda"
+}
+resource "aws_cloudwatch_log_group" "main_app_logs" {
+  name              = "/aws/lambda/${var.ProjectId}-lambda"
+  retention_in_days = var.LogRetentionDays
+}
diff --git a/terraform/envs/prod/variables.tf b/terraform/envs/prod/variables.tf
new file mode 100644
index 00000000..194e98a9
--- /dev/null
+++ b/terraform/envs/prod/variables.tf
@@ -0,0 +1,10 @@
+variable "LogRetentionDays" {
+  type    = number
+  default = 90
+}
+
+variable "ProjectId" {
+  type    = string
+  default = "infra-core-api"
+}
+
diff --git a/terraform/envs/qa/main.tf b/terraform/envs/qa/main.tf
new file mode 100644
index 00000000..72b2fddf
--- /dev/null
+++ b/terraform/envs/qa/main.tf
@@ -0,0 +1,28 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.92"
+    }
+  }
+
+  required_version = ">= 1.2"
+}
+
+provider "aws" {
+  region = "us-east-1"
+  default_tags {
+    tags = {
+      project = var.ProjectId
+    }
+  }
+}
+
+import {
+  to = aws_cloudwatch_log_group.main_app_logs
+  id = "/aws/lambda/${var.ProjectId}-lambda"
+}
+resource "aws_cloudwatch_log_group" "main_app_logs" {
+  name              = "/aws/lambda/${var.ProjectId}-lambda"
+  retention_in_days = var.LogRetentionDays
+}
diff --git a/terraform/envs/qa/variables.tf b/terraform/envs/qa/variables.tf
new file mode 100644
index 00000000..5d2d4f92
--- /dev/null
+++ b/terraform/envs/qa/variables.tf
@@ -0,0 +1,9 @@
+variable "LogRetentionDays" {
+  type    = number
+  default = 7
+}
+
+variable "ProjectId" {
+  type    = string
+  default = "infra-core-api"
+}