diff --git a/.github/workflows/tofu-apply.yml b/.github/workflows/tofu-apply.yml
index 74efa32aab..2dd8d263f8 100644
--- a/.github/workflows/tofu-apply.yml
+++ b/.github/workflows/tofu-apply.yml
@@ -106,12 +106,18 @@ jobs:
           tofu workspace select -var=parent_env=$ENV -or-create=true $ENV
           tofu plan -out=tfplan
           tofu apply -input=false tfplan 
-      - name: tofu apply - microservices
-        working-directory: ops/services/20-microservices/
+      - name: tofu apply - contracts
+        working-directory: ops/services/20-contracts/
         run: |
           tofu init -var=parent_env=$ENV -reconfigure
           tofu workspace select -var=parent_env=$ENV -or-create=true $ENV
-          tofu plan ${{ inputs.contracts_image_tag != '' && format('{0}{1}', '-var=contracts_service_image_tag=', inputs.contracts_image_tag) || '' }} ${{ inputs.events_image_tag != '' && format('{0}{1}', '-var=events_service_image_tag=', inputs.events_image_tag) || '' }} -out=tfplan
+          tofu plan ${{ inputs.contracts_image_tag != '' && format('{0}{1}', '-var=contracts_service_image_tag=', inputs.contracts_image_tag) || '' }} -out=tfplan
+      - name: tofu apply - events
+        working-directory: ops/services/20-events/
+        run: |
+          tofu init -var=parent_env=$ENV -reconfigure
+          tofu workspace select -var=parent_env=$ENV -or-create=true $ENV
+          tofu plan ${{ inputs.events_image_tag != '' && format('{0}{1}', '-var=events_service_image_tag=', inputs.events_image_tag) || '' }} -out=tfplan
       - name: tofu apply - api
         working-directory: ops/services/30-api/
         run: |
diff --git a/.github/workflows/tofu-plan.yml b/.github/workflows/tofu-plan.yml
index 8a0f74434f..dabd05f1a6 100644
--- a/.github/workflows/tofu-plan.yml
+++ b/.github/workflows/tofu-plan.yml
@@ -102,12 +102,18 @@ jobs:
           tofu init -var=parent_env=$ENV -reconfigure
           tofu workspace select -var=parent_env=$ENV -or-create=true $ENV
           tofu plan
-      - name: tofu plan - microservices
-        working-directory: ops/services/20-microservices/
+      - name: tofu plan - contracts
+        working-directory: ops/services/20-contracts/
         run: |
           tofu init -var=parent_env=$ENV -reconfigure
           tofu workspace select -var=parent_env=$ENV -or-create=true $ENV
-          tofu plan ${{ inputs.contracts_image_tag != '' && format('{0}{1}', '-var=contracts_service_image_tag=', inputs.contracts_image_tag) || '' }} ${{ inputs.events_image_tag != '' && format('{0}{1}', '-var=events_service_image_tag=', inputs.events_image_tag) || '' }}
+          tofu plan ${{ inputs.contracts_image_tag != '' && format('{0}{1}', '-var=contracts_service_image_tag=', inputs.contracts_image_tag) || '' }}
+      - name: tofu plan - events
+        working-directory: ops/services/20-events/
+        run: |
+          tofu init -var=parent_env=$ENV -reconfigure
+          tofu workspace select -var=parent_env=$ENV -or-create=true $ENV
+          tofu plan ${{ inputs.events_image_tag != '' && format('{0}{1}', '-var=events_service_image_tag=', inputs.events_image_tag) || '' }}
       - name: tofu plan - api
         working-directory: ops/services/30-api/
         run: |
diff --git a/ops/services/20-contracts/data.tf b/ops/services/20-contracts/data.tf
new file mode 100644
index 0000000000..0fc07839e7
--- /dev/null
+++ b/ops/services/20-contracts/data.tf
@@ -0,0 +1,36 @@
+data "aws_sns_topic" "events" {
+  name = "${local.service_prefix}-events"
+}
+
+data "aws_sqs_queue" "events" {
+  name = "${local.service_prefix}-events"
+}
+
+data "aws_security_group" "api" {
+  name   = "${local.service_prefix}-api"
+  vpc_id = local.vpc_id
+}
+
+data "aws_security_group" "worker" {
+  name   = "${local.service_prefix}-worker"
+  vpc_id = local.vpc_id
+}
+
+data "aws_security_group" "lambda" {
+  name   = "${local.service_prefix}-microservices-lambda"
+  vpc_id = local.vpc_id
+}
+
+data "aws_rds_cluster" "this" {
+  cluster_identifier = local.service_prefix
+}
+
+data "aws_iam_role" "task_execution_role" {
+  name = "${local.service_prefix}-microservices"
+}
+
+data "aws_ecr_image" "contracts" {
+  repository_name = "ab2d-contracts"
+  image_tag       = var.contracts_service_image_tag
+  most_recent     = var.contracts_service_image_tag == null ? true : null
+}
diff --git a/ops/services/20-contracts/main.tf b/ops/services/20-contracts/main.tf
new file mode 100644
index 0000000000..da9e39a87a
--- /dev/null
+++ b/ops/services/20-contracts/main.tf
@@ -0,0 +1,345 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5"
+    }
+  }
+}
+
+module "platform" {
+  source    = "github.com/CMSgov/cdap//terraform/modules/platform?ref=ff2ef539fb06f2c98f0e3ce0c8f922bdacb96d66"
+  providers = { aws = aws, aws.secondary = aws.secondary }
+
+  app          = local.app
+  env          = local.env
+  root_module  = "https://github.com/CMSgov/ab2d/tree/main/ops/services/20-contracts"
+  service      = local.service
+  ssm_root_map = local.ssm_root_map
+}
+
+locals {
+  default_tags = module.platform.default_tags
+  env          = terraform.workspace
+  service      = "contracts"
+
+  ssm_root_map = {
+    common = "/ab2d/${local.env}/common"
+    core   = "/ab2d/${local.env}/core"
+  }
+
+  benv = lookup({
+    "dev"     = "ab2d-dev"
+    "test"    = "ab2d-east-impl"
+    "prod"    = "ab2d-east-prod"
+    "sandbox" = "ab2d-sbx-sandbox"
+  }, local.parent_env, local.parent_env)
+
+  ab2d_db_host               = data.aws_rds_cluster.this.endpoint
+  aws_account_number         = module.platform.account_id
+  aws_region                 = module.platform.primary_region.name
+  db_database_arn            = module.platform.ssm.core.database_name.arn
+  db_password_arn            = module.platform.ssm.core.database_password.arn
+  db_user_arn                = module.platform.ssm.core.database_user.arn
+  events_sqs_url             = data.aws_sqs_queue.events.url
+  kms_master_key_id          = nonsensitive(module.platform.kms_alias_primary.target_key_arn)
+  network_access_logs_bucket = module.platform.network_access_logs_bucket
+  vpc_id                     = module.platform.vpc_id
+
+  # Use the provided image tag or get the first, human-readable image tag, favoring a tag with 'latest' in its name if it should exist.
+  contracts_image_repo = split("@", data.aws_ecr_image.contracts.image_uri)[0]
+  contracts_image_tag  = coalesce(var.contracts_service_image_tag, flatten([[for t in data.aws_ecr_image.contracts.image_tags : t if strcontains(t, "latest")], data.aws_ecr_image.contracts.image_tags])[0])
+  contracts_image_uri  = "${local.contracts_image_repo}:${local.contracts_image_tag}"
+
+  hpms_api_params_arn      = module.platform.ssm.core.hpms_api_params.arn
+  hpms_auth_key_id_arn     = module.platform.ssm.core.hpms_auth_key_id.arn
+  hpms_auth_key_secret_arn = module.platform.ssm.core.hpms_auth_key_secret.arn
+  hpms_url_arn             = module.platform.ssm.core.hpms_url.arn
+}
+
+module "cluster" {
+  source   = "github.com/CMSgov/cdap//terraform/modules/cluster?ref=e06f4acfea302df22c210549effa2e91bc3eff0d"
+  platform = module.platform
+}
+
+# Chatbot Guardrail Policy
+# FIXME No idea where the chatbot/amazonq resources are to be defined
+resource "aws_iam_policy" "chatbot_guardrail_policy" {
+  name = "${local.service_prefix}-chatbot-guardrail-policy"
+  path = "/delegatedadmin/developer/"
+  policy = templatefile("${path.module}/templates/config/iam/chatbot_policy.json",
+    {
+      aws_account_number = local.aws_account_number
+      role_name          = data.aws_iam_role.task_execution_role.id
+    }
+  )
+}
+
+# Eventbridge
+resource "aws_cloudwatch_event_rule" "this" {
+  name          = "${local.service_prefix}-${local.service}-task-monitoring-rule"
+  description   = "This rule captures the last status of task definitions"
+  event_pattern = <<EOF
+{
+  "source": ["aws.ecs"],
+  "detail-type": ["ECS Task State Change"],
+  "detail": {
+    "clusterArn": ["${module.cluster.this.arn}"],
+    "lastStatus": ["RUNNING"]
+  }
+}
+EOF
+}
+
+resource "aws_cloudwatch_event_target" "this" {
+  rule      = aws_cloudwatch_event_rule.this.name
+  target_id = "SendToSNS"
+  arn       = aws_sns_topic.this.arn
+}
+
+# SNS
+resource "aws_sns_topic" "this" {
+  name              = "${local.service_prefix}-${local.service}-monitoring"
+  kms_master_key_id = local.kms_master_key_id
+}
+
+resource "aws_sns_topic_policy" "this" {
+  arn    = aws_sns_topic.this.arn
+  policy = data.aws_iam_policy_document.this.json
+}
+
+data "aws_iam_policy_document" "this" {
+  statement {
+    effect  = "Allow"
+    actions = ["SNS:Publish"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["events.amazonaws.com"]
+    }
+    resources = [aws_sns_topic.this.arn]
+  }
+}
+
+resource "aws_lb" "internal_lb" {
+  name               = "${local.service_prefix}-${local.service}"
+  internal           = true
+  load_balancer_type = "application"
+  security_groups    = [aws_security_group.internal_lb.id]
+  subnets            = keys(module.platform.private_subnets)
+
+  enable_deletion_protection       = !module.platform.is_ephemeral_env
+  enable_cross_zone_load_balancing = true
+  drop_invalid_header_fields       = true
+
+  access_logs {
+    bucket  = local.network_access_logs_bucket
+    enabled = true
+  }
+}
+
+resource "aws_ssm_parameter" "internal_lb" {
+  name  = "/ab2d/${local.env}/${local.service}/nonsensitive/url"
+  value = "http://${aws_lb.internal_lb.dns_name}"
+  type  = "String"
+}
+
+resource "aws_lb_listener" "internal_lb" {
+  load_balancer_arn = aws_lb.internal_lb.arn
+  port              = 80
+  protocol          = "HTTP"
+
+  default_action {
+    target_group_arn = aws_lb_target_group.contracts.arn
+    type             = "forward"
+  }
+}
+
+resource "aws_security_group" "internal_lb" {
+  name   = "${local.service_prefix}-${local.service}-lb"
+  vpc_id = module.platform.vpc_id
+
+  tags = { Name = "${local.service_prefix}-${local.service}-lb" }
+}
+
+resource "aws_security_group_rule" "lambda_sg_ingress_access" {
+  type                     = "ingress"
+  from_port                = 80
+  to_port                  = 80
+  protocol                 = "tcp"
+  description              = "inbound access for lambda to contracts"
+  source_security_group_id = data.aws_security_group.lambda.id
+  security_group_id        = aws_security_group.internal_lb.id
+}
+
+resource "aws_security_group_rule" "api_sg_ingress_access" {
+  type                     = "ingress"
+  from_port                = 80
+  to_port                  = 80
+  protocol                 = "tcp"
+  description              = "inbound access for contracts"
+  source_security_group_id = data.aws_security_group.api.id
+  security_group_id        = aws_security_group.internal_lb.id
+}
+
+resource "aws_security_group_rule" "worker_sg_ingress_access" {
+  type                     = "ingress"
+  from_port                = 80
+  to_port                  = 80
+  protocol                 = "tcp"
+  description              = "inbound access for contracts"
+  source_security_group_id = data.aws_security_group.worker.id
+  security_group_id        = aws_security_group.internal_lb.id
+}
+
+resource "aws_security_group_rule" "contracts_to_worker_egress_access" {
+  type                     = "egress"
+  from_port                = 8070
+  to_port                  = 8070
+  protocol                 = "tcp"
+  description              = "contracts svc to worker sg"
+  source_security_group_id = data.aws_security_group.worker.id
+  security_group_id        = aws_security_group.internal_lb.id
+}
+
+resource "aws_security_group_rule" "contracts_to_api_egress_access" {
+  type                     = "egress"
+  from_port                = 8070
+  to_port                  = 8070
+  protocol                 = "tcp"
+  description              = "contracts svc to api sg"
+  source_security_group_id = data.aws_security_group.api.id # Api
+  security_group_id        = aws_security_group.internal_lb.id
+}
+
+resource "aws_security_group_rule" "access_to_contract_svc" {
+  type                     = "ingress"
+  from_port                = 8070
+  to_port                  = 8070
+  protocol                 = "tcp"
+  description              = "for access to contract svc in api sg"
+  source_security_group_id = aws_security_group.internal_lb.id
+  security_group_id        = data.aws_security_group.api.id
+}
+
+resource "aws_lb_target_group" "contracts" {
+  name        = "${local.service_prefix}-contracts"
+  port        = 8070
+  protocol    = "HTTP"
+  vpc_id      = module.platform.vpc_id
+  target_type = "ip"
+
+  health_check {
+    path = "/health"
+    port = 8070
+  }
+}
+
+resource "aws_security_group_rule" "contracts_to_lambda_egress_access" {
+  type                     = "egress"
+  from_port                = 8070
+  to_port                  = 8070
+  protocol                 = "tcp"
+  description              = "contracts svc to lambda"
+  source_security_group_id = data.aws_security_group.lambda.id
+  security_group_id        = aws_security_group.internal_lb.id
+}
+
+resource "aws_lb_listener_rule" "contracts" {
+  listener_arn = aws_lb_listener.internal_lb.arn
+  priority     = 200
+
+  action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.contracts.arn
+  }
+
+  condition {
+    path_pattern {
+      values = ["/contracts", "/contracts/*"]
+    }
+  }
+}
+
+module "contracts_service" {
+  source = "github.com/CMSgov/cdap//terraform/modules/service?ref=d9000475e6e2f315ed208f88935ea217ea044fc5"
+
+  cluster_arn                       = module.cluster.this.id
+  cpu                               = 1024
+  desired_count                     = 1
+  execution_role_arn                = data.aws_iam_role.task_execution_role.arn
+  force_new_deployment              = anytrue([var.force_contracts_deployment, var.contracts_service_image_tag != null])
+  health_check_grace_period_seconds = null
+  image                             = local.contracts_image_uri
+  memory                            = 2048
+  platform                          = module.platform
+  security_groups                   = [data.aws_security_group.api.id]
+  service_name_override             = "contracts"
+  task_role_arn                     = data.aws_iam_role.task_execution_role.arn
+
+  container_environment = [
+    { name = "AB2D_DB_HOST", value = local.ab2d_db_host },
+    { name = "AB2D_DB_PORT", value = "5432" },
+    { name = "AB2D_DB_SSL_MODE", value = "require" },
+    { name = "AB2D_EXECUTION_ENV", value = local.benv },
+    { name = "AWS_SQS_URL", value = local.events_sqs_url }
+  ]
+
+  container_secrets = [
+    { name = "AB2D_DB_DATABASE", valueFrom = local.db_database_arn },
+    { name = "AB2D_DB_PASSWORD", valueFrom = local.db_password_arn },
+    { name = "AB2D_DB_USER", valueFrom = local.db_user_arn },
+    { name = "AB2D_HPMS_API_PARAMS", valueFrom = local.hpms_api_params_arn },
+    { name = "AB2D_HPMS_URL", valueFrom = local.hpms_url_arn },
+    { name = "HPMS_AUTH_KEY_ID", valueFrom = local.hpms_auth_key_id_arn },
+    { name = "HPMS_AUTH_KEY_SECRET", valueFrom = local.hpms_auth_key_secret_arn }
+  ]
+
+  load_balancers = [{
+    target_group_arn = aws_lb_target_group.contracts.arn
+    container_name   = "contracts-service-container"
+    container_port   = 8070
+
+  }]
+
+  mount_points = [
+    {
+      "containerPath" = "/tmp",
+      "sourceVolume"  = "tmp",
+      "readOnly"      = false
+    },
+    {
+      "containerPath" = "/newrelic/logs",
+      "sourceVolume"  = "newrelic_logs",
+      "readOnly"      = false
+    },
+    {
+      "containerPath" = "/var/log",
+      "sourceVolume"  = "var_log",
+      "readOnly"      = false
+    }
+  ]
+
+  port_mappings = [
+    {
+      containerPort = 8070
+      hostPort      = 8070
+      protocol      = "tcp"
+    }
+  ]
+
+  volumes = [
+    {
+      configure_at_launch = false
+      name                = "tmp"
+    },
+    {
+      configure_at_launch = false
+      name                = "newrelic_logs"
+    },
+    {
+      configure_at_launch = false
+      name                = "var_log"
+    }
+  ]
+}
diff --git a/ops/services/20-contracts/moved.tf b/ops/services/20-contracts/moved.tf
new file mode 100644
index 0000000000..a4d9182a4c
--- /dev/null
+++ b/ops/services/20-contracts/moved.tf
@@ -0,0 +1,9 @@
+moved {
+  from = aws_ecs_task_definition.contracts
+  to   = module.contracts_service.aws_ecs_task_definition.this
+}
+
+moved {
+  from = aws_ecs_service.contracts
+  to   = module.contracts_service.aws_ecs_service.this
+}
diff --git a/ops/services/20-contracts/templates/config/iam/chatbot_policy.json b/ops/services/20-contracts/templates/config/iam/chatbot_policy.json
new file mode 100644
index 0000000000..e663d1e1ff
--- /dev/null
+++ b/ops/services/20-contracts/templates/config/iam/chatbot_policy.json
@@ -0,0 +1,18 @@
+{
+    "Statement": [
+        {
+            "Action": [
+                "chatbot:UpdateSlackChannelConfiguration",
+                "chatbot:UpdateChimeWebhookConfiguration",
+                "chatbot:Describe*",
+                "chatbot:DeleteSlackChannelConfiguration",
+                "chatbot:CreateSlackChannelConfiguration",
+                "chatbot:CreateChimeWebhookConfiguration"
+            ],
+            "Effect": "Allow",
+            "Resource": "arn:aws:chatbot::${aws_account_number}:chat-configuration/slack-channel/${role_name}",
+            "Sid": ""
+        }
+    ],
+    "Version": "2012-10-17"
+}
diff --git a/ops/services/20-contracts/tofu.tf b/ops/services/20-contracts/tofu.tf
new file mode 120000
index 0000000000..007a2292a5
--- /dev/null
+++ b/ops/services/20-contracts/tofu.tf
@@ -0,0 +1 @@
+../root.tofu.tf
\ No newline at end of file
diff --git a/ops/services/20-contracts/variables.tf b/ops/services/20-contracts/variables.tf
new file mode 100644
index 0000000000..298a1c0745
--- /dev/null
+++ b/ops/services/20-contracts/variables.tf
@@ -0,0 +1,11 @@
+variable "contracts_service_image_tag" {
+  default     = null
+  description = "Desired image tag for the contracts service stored in ECR"
+  type        = string
+}
+
+variable "force_contracts_deployment" {
+  default     = false
+  description = "Override to force a contracts deployment. Contracts deployments are automatic when `var.contracts_service_image_tag` is specified."
+  type        = bool
+}
diff --git a/ops/services/20-events/data.tf b/ops/services/20-events/data.tf
new file mode 100644
index 0000000000..fdf564b971
--- /dev/null
+++ b/ops/services/20-events/data.tf
@@ -0,0 +1,36 @@
+data "aws_sns_topic" "events" {
+  name = "${local.service_prefix}-events"
+}
+
+data "aws_sqs_queue" "events" {
+  name = "${local.service_prefix}-events"
+}
+
+data "aws_security_group" "api" {
+  name   = "${local.service_prefix}-api"
+  vpc_id = local.vpc_id
+}
+
+data "aws_security_group" "worker" {
+  name   = "${local.service_prefix}-worker"
+  vpc_id = local.vpc_id
+}
+
+data "aws_security_group" "lambda" {
+  name   = "${local.service_prefix}-microservices-lambda"
+  vpc_id = local.vpc_id
+}
+
+data "aws_rds_cluster" "this" {
+  cluster_identifier = local.service_prefix
+}
+
+data "aws_iam_role" "task_execution_role" {
+  name = "${local.service_prefix}-microservices"
+}
+
+data "aws_ecr_image" "events" {
+  repository_name = "ab2d-events"
+  image_tag       = var.events_service_image_tag
+  most_recent     = var.events_service_image_tag == null ? true : null
+}
diff --git a/ops/services/20-events/main.tf b/ops/services/20-events/main.tf
new file mode 100644
index 0000000000..8928d820f5
--- /dev/null
+++ b/ops/services/20-events/main.tf
@@ -0,0 +1,269 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5"
+    }
+  }
+}
+
+module "platform" {
+  source    = "github.com/CMSgov/cdap//terraform/modules/platform?ref=ff2ef539fb06f2c98f0e3ce0c8f922bdacb96d66"
+  providers = { aws = aws, aws.secondary = aws.secondary }
+
+  app          = local.app
+  env          = local.env
+  root_module  = "https://github.com/CMSgov/ab2d/tree/main/ops/services/20-events"
+  service      = local.service
+  ssm_root_map = local.ssm_root_map
+}
+
+locals {
+  default_tags = module.platform.default_tags
+  env          = terraform.workspace
+  service      = "events"
+
+  ssm_root_map = {
+    common = "/ab2d/${local.env}/common"
+    core   = "/ab2d/${local.env}/core"
+  }
+
+  benv = lookup({
+    "dev"     = "ab2d-dev"
+    "test"    = "ab2d-east-impl"
+    "prod"    = "ab2d-east-prod"
+    "sandbox" = "ab2d-sbx-sandbox"
+  }, local.parent_env, local.parent_env)
+
+  ab2d_db_host               = data.aws_rds_cluster.this.endpoint
+  aws_account_number         = module.platform.account_id
+  aws_region                 = module.platform.primary_region.name
+  db_database_arn            = module.platform.ssm.core.database_name.arn
+  db_password_arn            = module.platform.ssm.core.database_password.arn
+  db_user_arn                = module.platform.ssm.core.database_user.arn
+  events_sqs_url             = data.aws_sqs_queue.events.url
+  kms_master_key_id          = nonsensitive(module.platform.kms_alias_primary.target_key_arn)
+  network_access_logs_bucket = module.platform.network_access_logs_bucket
+  vpc_id                     = module.platform.vpc_id
+
+  # Use the provided image tag or get the first, human-readable image tag, favoring a tag with 'latest' in its name if it should exist.
+  events_image_repo = split("@", data.aws_ecr_image.events.image_uri)[0]
+  events_image_tag  = coalesce(var.events_service_image_tag, flatten([[for t in data.aws_ecr_image.events.image_tags : t if strcontains(t, "latest")], data.aws_ecr_image.events.image_tags])[0])
+  events_image_uri  = "${local.events_image_repo}:${local.events_image_tag}"
+
+  ab2d_keystore_location_arn = module.platform.ssm.core.keystore_location.arn
+  ab2d_keystore_password_arn = module.platform.ssm.core.keystore_password.arn
+
+  ab2d_okta_jwt_issuer_arn      = module.platform.ssm.core.okta_jwt_issuer.arn
+  ab2d_slack_alert_webhooks_arn = module.platform.ssm.common.slack_alert_webhooks.arn
+  ab2d_slack_trace_webhooks_arn = module.platform.ssm.common.slack_trace_webhooks.arn
+}
+
+module "cluster" {
+  source   = "github.com/CMSgov/cdap//terraform/modules/cluster?ref=e06f4acfea302df22c210549effa2e91bc3eff0d"
+  platform = module.platform
+}
+
+# Chatbot Guardrail Policy
+# FIXME No idea where the chatbot/amazonq resources are to be defined
+resource "aws_iam_policy" "chatbot_guardrail_policy" {
+  name = "${local.service_prefix}-chatbot-guardrail-policy"
+  path = "/delegatedadmin/developer/"
+  policy = templatefile("${path.module}/templates/config/iam/chatbot_policy.json",
+    {
+      aws_account_number = local.aws_account_number
+      role_name          = data.aws_iam_role.task_execution_role.id
+    }
+  )
+}
+
+# Eventbridge
+resource "aws_cloudwatch_event_rule" "this" {
+  name          = "${local.service_prefix}-${local.service}-task-monitoring-rule"
+  description   = "This rule captures the last status of task definitions"
+  event_pattern = <<EOF
+{
+  "source": ["aws.ecs"],
+  "detail-type": ["ECS Task State Change"],
+  "detail": {
+    "clusterArn": ["${module.cluster.this.arn}"],
+    "lastStatus": ["RUNNING"]
+  }
+}
+EOF
+}
+
+resource "aws_cloudwatch_event_target" "this" {
+  rule      = aws_cloudwatch_event_rule.this.name
+  target_id = "SendToSNS"
+  arn       = aws_sns_topic.this.arn
+}
+
+# SNS
+resource "aws_sns_topic" "this" {
+  name              = "${local.service_prefix}-${local.service}-monitoring"
+  kms_master_key_id = local.kms_master_key_id
+}
+
+resource "aws_sns_topic_policy" "this" {
+  arn    = aws_sns_topic.this.arn
+  policy = data.aws_iam_policy_document.this.json
+}
+
+data "aws_iam_policy_document" "this" {
+  statement {
+    effect  = "Allow"
+    actions = ["SNS:Publish"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["events.amazonaws.com"]
+    }
+    resources = [aws_sns_topic.this.arn]
+  }
+}
+
+resource "aws_lb" "internal_lb" {
+  name               = "${local.service_prefix}-${local.service}"
+  internal           = true
+  load_balancer_type = "application"
+  security_groups    = [aws_security_group.internal_lb.id]
+  subnets            = keys(module.platform.private_subnets)
+
+  enable_deletion_protection       = !module.platform.is_ephemeral_env
+  enable_cross_zone_load_balancing = true
+  drop_invalid_header_fields       = true
+
+  access_logs {
+    bucket  = local.network_access_logs_bucket
+    enabled = true
+  }
+}
+
+resource "aws_ssm_parameter" "internal_lb" {
+  name  = "/ab2d/${local.env}/${local.service}/nonsensitive/url"
+  value = "http://${aws_lb.internal_lb.dns_name}"
+  type  = "String"
+}
+
+resource "aws_security_group" "internal_lb" {
+  name   = "${local.service_prefix}-${local.service}-lb"
+  vpc_id = module.platform.vpc_id
+
+  tags = { Name = "${local.service_prefix}-${local.service}-lb" }
+}
+
+resource "aws_security_group_rule" "lambda_sg_ingress_access" {
+  type                     = "ingress"
+  from_port                = 80
+  to_port                  = 80
+  protocol                 = "tcp"
+  description              = "inbound access for lambda to microservices"
+  source_security_group_id = data.aws_security_group.lambda.id
+  security_group_id        = aws_security_group.internal_lb.id
+}
+
+resource "aws_security_group_rule" "api_sg_ingress_access" {
+  type                     = "ingress"
+  from_port                = 80
+  to_port                  = 80
+  protocol                 = "tcp"
+  description              = "inbound access for microservices"
+  source_security_group_id = data.aws_security_group.api.id
+  security_group_id        = aws_security_group.internal_lb.id
+}
+
+resource "aws_security_group_rule" "worker_sg_ingress_access" {
+  type                     = "ingress"
+  from_port                = 80
+  to_port                  = 80
+  protocol                 = "tcp"
+  description              = "inbound access for microservices"
+  source_security_group_id = data.aws_security_group.worker.id
+  security_group_id        = aws_security_group.internal_lb.id
+}
+
+resource "aws_sns_topic_subscription" "events" {
+  topic_arn = data.aws_sns_topic.events.arn
+  protocol  = "sqs"
+  endpoint  = data.aws_sqs_queue.events.arn
+}
+
+module "events_service" {
+  source = "github.com/CMSgov/cdap//terraform/modules/service?ref=d9000475e6e2f315ed208f88935ea217ea044fc5"
+
+  cluster_arn           = module.cluster.this.id
+  cpu                   = 512
+  desired_count         = 1
+  execution_role_arn    = data.aws_iam_role.task_execution_role.arn
+  force_new_deployment  = anytrue([var.force_events_deployment, var.events_service_image_tag != null])
+  image                 = local.events_image_uri
+  memory                = 1024
+  platform              = module.platform
+  security_groups       = [data.aws_security_group.api.id]
+  service_name_override = "events"
+  task_role_arn         = data.aws_iam_role.task_execution_role.arn
+
+  container_environment = [
+    { name = "AB2D_DB_HOST", value = local.ab2d_db_host },
+    { name = "AB2D_DB_PORT", value = "5432" },
+    { name = "AB2D_DB_SSL_MODE", value = "require" },
+    { name = "AB2D_EXECUTION_ENV", value = local.benv },
+    { name = "AWS_SQS_FEATURE_FLAG", value = "true" }, #FIXME: is this even used?
+    { name = "AWS_SQS_URL", value = local.events_sqs_url },
+    { name = "IMAGE_VERSION", value = local.events_image_tag } #FIXME: is this even used?
+  ]
+
+  container_secrets = [
+    { name = "AB2D_DB_DATABASE", valueFrom = local.db_database_arn },
+    { name = "AB2D_DB_PASSWORD", valueFrom = local.db_password_arn },
+    { name = "AB2D_DB_USER", valueFrom = local.db_user_arn },
+    { name = "AB2D_KEYSTORE_LOCATION", valueFrom = local.ab2d_keystore_location_arn }, #FIXME: is this even used?
+    { name = "AB2D_KEYSTORE_PASSWORD", valueFrom = local.ab2d_keystore_password_arn }, #FIXME: is this even used?
+    { name = "AB2D_OKTA_JWT_ISSUER", valueFrom = local.ab2d_okta_jwt_issuer_arn },     #FIXME: is this even used?
+    { name = "AB2D_SLACK_ALERT_WEBHOOKS", valueFrom = local.ab2d_slack_alert_webhooks_arn },
+    { name = "AB2D_SLACK_TRACE_WEBHOOKS", valueFrom = local.ab2d_slack_trace_webhooks_arn }
+  ]
+
+  mount_points = [
+    {
+      "containerPath" = "/tmp",
+      "sourceVolume"  = "tmp",
+      "readOnly"      = false
+    },
+    {
+      "containerPath" = "/newrelic/logs",
+      "sourceVolume"  = "newrelic_logs",
+      "readOnly"      = false
+    },
+    {
+      "containerPath" = "/var/log",
+      "sourceVolume"  = "var_log",
+      "readOnly"      = false
+    }
+  ]
+
+  port_mappings = [
+    {
+      hostPort      = 8010 #FIXME is this even necessary?
+      containerPort = 8010
+      protocol      = "tcp"
+    }
+  ]
+
+  volumes = [
+    {
+      configure_at_launch = false
+      name                = "tmp"
+    },
+    {
+      configure_at_launch = false
+      name                = "newrelic_logs"
+    },
+    {
+      configure_at_launch = false
+      name                = "var_log"
+    }
+
+  ]
+}
diff --git a/ops/services/20-events/moved.tf b/ops/services/20-events/moved.tf
new file mode 100644
index 0000000000..9a4c71f297
--- /dev/null
+++ b/ops/services/20-events/moved.tf
@@ -0,0 +1,9 @@
+moved {
+  from = aws_ecs_task_definition.events
+  to   = module.events_service.aws_ecs_task_definition.this
+}
+
+moved {
+  from = aws_ecs_service.events
+  to   = module.events_service.aws_ecs_service.this
+}
diff --git a/ops/services/20-events/templates/config/iam/chatbot_policy.json b/ops/services/20-events/templates/config/iam/chatbot_policy.json
new file mode 100644
index 0000000000..e663d1e1ff
--- /dev/null
+++ b/ops/services/20-events/templates/config/iam/chatbot_policy.json
@@ -0,0 +1,18 @@
+{
+    "Statement": [
+        {
+            "Action": [
+                "chatbot:UpdateSlackChannelConfiguration",
+                "chatbot:UpdateChimeWebhookConfiguration",
+                "chatbot:Describe*",
+                "chatbot:DeleteSlackChannelConfiguration",
+                "chatbot:CreateSlackChannelConfiguration",
+                "chatbot:CreateChimeWebhookConfiguration"
+            ],
+            "Effect": "Allow",
+            "Resource": "arn:aws:chatbot::${aws_account_number}:chat-configuration/slack-channel/${role_name}",
+            "Sid": ""
+        }
+    ],
+    "Version": "2012-10-17"
+}
diff --git a/ops/services/20-events/tofu.tf b/ops/services/20-events/tofu.tf
new file mode 120000
index 0000000000..007a2292a5
--- /dev/null
+++ b/ops/services/20-events/tofu.tf
@@ -0,0 +1 @@
+../root.tofu.tf
\ No newline at end of file
diff --git a/ops/services/20-events/variables.tf b/ops/services/20-events/variables.tf
new file mode 100644
index 0000000000..88d1bffd4c
--- /dev/null
+++ b/ops/services/20-events/variables.tf
@@ -0,0 +1,11 @@
+variable "events_service_image_tag" {
+  default     = null
+  description = "Desired image tag for the events service stored in ECR"
+  type        = string
+}
+
+variable "force_events_deployment" {
+  default     = false
+  description = "Override to force a events deployment. Events deployments are automatic when `var.events_service_image_tag` is specified."
+  type        = bool
+}
diff --git a/ops/services/20-microservices/contracts.tf b/ops/services/20-microservices/contracts.tf
index 721035b23d..1a8418e073 100644
--- a/ops/services/20-microservices/contracts.tf
+++ b/ops/services/20-microservices/contracts.tf
@@ -10,106 +10,6 @@ locals {
   hpms_url_arn             = module.platform.ssm.core.hpms_url.arn
 }
 
-resource "aws_ecs_task_definition" "contracts" {
-  family                   = "${local.service_prefix}-contracts"
-  network_mode             = "awsvpc"
-  execution_role_arn       = data.aws_iam_role.task_execution_role.arn
-  task_role_arn            = data.aws_iam_role.task_execution_role.arn #TODO task/execution role probably ought to be different 😕
-  requires_compatibilities = ["FARGATE"]
-  cpu                      = 1024
-  memory                   = 2048
-  container_definitions = nonsensitive(jsonencode([{
-    name : "contracts-service-container", #TODO: Consider simplifying this name, just use "contracts"
-    image : local.contracts_image_uri,
-    readonlyRootFilesystem = true
-    essential : true,
-    secrets : [
-      { name : "AB2D_DB_DATABASE", valueFrom : local.db_database_arn },
-      { name : "AB2D_DB_PASSWORD", valueFrom : local.db_password_arn },
-      { name : "AB2D_DB_USER", valueFrom : local.db_user_arn },
-      { name : "AB2D_HPMS_API_PARAMS", valueFrom : local.hpms_api_params_arn },
-      { name : "AB2D_HPMS_URL", valueFrom : local.hpms_url_arn },
-      { name : "HPMS_AUTH_KEY_ID", valueFrom : local.hpms_auth_key_id_arn },
-      { name : "HPMS_AUTH_KEY_SECRET", valueFrom : local.hpms_auth_key_secret_arn }
-    ],
-    environment : [
-      { name : "AB2D_DB_HOST", value : local.ab2d_db_host },
-      { name : "AB2D_DB_PORT", value : "5432" },
-      { name : "AB2D_DB_SSL_MODE", value : "require" },
-      { name : "AB2D_EXECUTION_ENV", value : local.benv },
-      { name : "AWS_SQS_URL", value : local.events_sqs_url }
-    ],
-    portMappings : [
-      {
-        containerPort : 8070
-      }
-    ],
-    logConfiguration : {
-      logDriver : "awslogs",
-      options : {
-        awslogs-group = "/aws/ecs/fargate/${local.service_prefix}/ab2d_contracts",
-        awslogs-create-group : "true",
-        awslogs-region : local.aws_region,
-        awslogs-stream-prefix : local.service_prefix
-      }
-    },
-    healthCheck : null
-    mountPoints = [
-      {
-        "containerPath" : "/tmp",
-        "sourceVolume" : "tmp",
-        "readOnly" : false
-      },
-      {
-        "containerPath" : "/newrelic/logs",
-        "sourceVolume" : "newrelic_logs",
-        "readOnly" : false
-      },
-      {
-        "containerPath" : "/var/log",
-        "sourceVolume" : "var_log",
-        "readOnly" : false
-      }
-    ]
-  }]))
-  # The NewRelic agent needs access to these
-  volume {
-    name = "tmp"
-  }
-  volume {
-    name = "newrelic_logs"
-  }
-  volume {
-    name = "var_log"
-  }
-}
-
-resource "aws_ecs_service" "contracts" {
-  name                 = "${local.service_prefix}-contracts"
-  cluster              = module.cluster.this.id
-  task_definition      = aws_ecs_task_definition.contracts.arn
-  desired_count        = 1
-  launch_type          = "FARGATE"
-  platform_version     = "1.4.0"
-  force_new_deployment = anytrue([var.force_contracts_deployment, var.contracts_service_image_tag != null])
-  propagate_tags       = "SERVICE"
-
-  tags = {
-    service = "contracts"
-  }
-
-  network_configuration {
-    subnets          = keys(module.platform.private_subnets)
-    assign_public_ip = false
-    security_groups  = [data.aws_security_group.api.id]
-  }
-  load_balancer {
-    target_group_arn = aws_lb_target_group.contracts.arn
-    container_name   = "contracts-service-container"
-    container_port   = 8070
-  }
-}
-
 resource "aws_security_group_rule" "contracts_to_worker_egress_access" {
   type                     = "egress"
   from_port                = 8070
@@ -178,3 +78,86 @@ resource "aws_lb_listener_rule" "contracts" {
     }
   }
 }
+
+module "contracts_service" {
+  source = "github.com/CMSgov/cdap//terraform/modules/service?ref=d9000475e6e2f315ed208f88935ea217ea044fc5"
+
+  cluster_arn = module.cluster.this.id
+  cpu                               = 1024
+  desired_count                     = 1
+  execution_role_arn                = data.aws_iam_role.task_execution_role.arn
+  force_new_deployment              = anytrue([var.force_contracts_deployment, var.contracts_service_image_tag != null])
+  health_check_grace_period_seconds = null
+  image                             = local.contracts_image_uri
+  memory                            = 2048
+  platform                          = module.platform
+  security_groups                   = [data.aws_security_group.api.id]
+  service_name_override             = "contracts"
+  task_role_arn                     = data.aws_iam_role.task_execution_role.arn
+
+  container_environment = [
+    { name = "AB2D_DB_HOST", value = local.ab2d_db_host },
+    { name = "AB2D_DB_PORT", value = "5432" },
+    { name = "AB2D_DB_SSL_MODE", value = "require" },
+    { name = "AB2D_EXECUTION_ENV", value = local.benv },
+    { name = "AWS_SQS_URL", value = local.events_sqs_url }
+  ]
+
+  container_secrets = [
+    { name = "AB2D_DB_DATABASE", valueFrom = local.db_database_arn },
+    { name = "AB2D_DB_PASSWORD", valueFrom = local.db_password_arn },
+    { name = "AB2D_DB_USER", valueFrom = local.db_user_arn },
+    { name = "AB2D_HPMS_API_PARAMS", valueFrom = local.hpms_api_params_arn },
+    { name = "AB2D_HPMS_URL", valueFrom = local.hpms_url_arn },
+    { name = "HPMS_AUTH_KEY_ID", valueFrom = local.hpms_auth_key_id_arn },
+    { name = "HPMS_AUTH_KEY_SECRET", valueFrom = local.hpms_auth_key_secret_arn }
+  ]
+
+  load_balancers = [{
+    target_group_arn = aws_lb_target_group.contracts.arn
+    container_name   = "contracts-service-container"
+    container_port   = 8070
+
+  }]
+
+  mount_points = [
+    {
+      "containerPath" = "/tmp",
+      "sourceVolume"  = "tmp",
+      "readOnly"      = false
+    },
+    {
+      "containerPath" = "/newrelic/logs",
+      "sourceVolume"  = "newrelic_logs",
+      "readOnly"      = false
+    },
+    {
+      "containerPath" = "/var/log",
+      "sourceVolume"  = "var_log",
+      "readOnly"      = false
+    }
+  ]
+
+  port_mappings = [
+    {
+      containerPort = 8070
+      hostPort      = 8070
+      protocol      = "tcp"
+    }
+  ]
+
+  volumes = [
+    {
+      configure_at_launch = false
+      name                = "tmp"
+    },
+    {
+      configure_at_launch = false
+      name                = "newrelic_logs"
+    },
+    {
+      configure_at_launch = false
+      name                = "var_log"
+    }
+  ]
+}
diff --git a/ops/services/20-microservices/events.tf b/ops/services/20-microservices/events.tf
index d940aa28e5..1d11ce8abc 100644
--- a/ops/services/20-microservices/events.tf
+++ b/ops/services/20-microservices/events.tf
@@ -18,101 +18,81 @@ resource "aws_sns_topic_subscription" "events" {
   endpoint  = data.aws_sqs_queue.events.arn
 }
 
-resource "aws_ecs_task_definition" "events" {
-  family             = "${local.service_prefix}-events"
-  network_mode       = "awsvpc"
-  execution_role_arn = data.aws_iam_role.task_execution_role.arn
-  task_role_arn      = data.aws_iam_role.task_execution_role.arn
+module "events_service" {
+  source = "github.com/CMSgov/cdap//terraform/modules/service?ref=d9000475e6e2f315ed208f88935ea217ea044fc5"
 
-  requires_compatibilities = ["FARGATE"]
-  cpu                      = 512
-  memory                   = 1024
-  container_definitions = nonsensitive(jsonencode([{
-    name : "events-service-container", #TODO: Consider simplifying this name, just use "events"
-    image : local.events_image_uri,
-    readonlyRootFilesystem = true
-    essential : true,
-    secrets : [
-      { name : "AB2D_DB_DATABASE", valueFrom : local.db_database_arn },
-      { name : "AB2D_DB_PASSWORD", valueFrom : local.db_password_arn },
-      { name : "AB2D_DB_USER", valueFrom : local.db_user_arn },
-      { name : "AB2D_KEYSTORE_LOCATION", valueFrom : local.ab2d_keystore_location_arn }, #FIXME: is this even used?
-      { name : "AB2D_KEYSTORE_PASSWORD", valueFrom : local.ab2d_keystore_password_arn }, #FIXME: is this even used?
-      { name : "AB2D_OKTA_JWT_ISSUER", valueFrom : local.ab2d_okta_jwt_issuer_arn },     #FIXME: is this even used?
-      { name : "AB2D_SLACK_ALERT_WEBHOOKS", valueFrom : local.ab2d_slack_alert_webhooks_arn },
-      { name : "AB2D_SLACK_TRACE_WEBHOOKS", valueFrom : local.ab2d_slack_trace_webhooks_arn }
-    ],
-    environment : [
-      { name : "AB2D_DB_HOST", value : local.ab2d_db_host },
-      { name : "AB2D_DB_PORT", value : "5432" },
-      { name : "AB2D_DB_SSL_MODE", value : "require" },
-      { name : "AB2D_EXECUTION_ENV", value : local.benv },
-      { name : "AWS_SQS_FEATURE_FLAG", value : "true" }, #FIXME: is this even used?
-      { name : "AWS_SQS_URL", value : local.events_sqs_url },
-      { name : "IMAGE_VERSION", value : local.events_image_tag } #FIXME: is this even used?
-    ],
-    portMappings : [
-      {
-        containerPort : 8010 #FIXME is this even necessary?
-      }
-    ],
-    logConfiguration : {
-      logDriver : "awslogs",
-      options : {
-        awslogs-group = "/aws/ecs/fargate/${local.service_prefix}/ab2d_events",
-        awslogs-create-group : "true",
-        awslogs-region : local.aws_region,
-        awslogs-stream-prefix : local.service_prefix
-      }
+  cluster_arn                       = module.cluster.this.id
+  cpu                               = 512
+  desired_count                     = 1
+  execution_role_arn                = data.aws_iam_role.task_execution_role.arn
+  force_new_deployment              = anytrue([var.force_events_deployment, var.events_service_image_tag != null])
+  image                             = local.events_image_uri
+  memory                            = 1024
+  platform                          = module.platform
+  security_groups                   = [data.aws_security_group.api.id]
+  service_name_override             = "events"
+  task_role_arn                     = data.aws_iam_role.task_execution_role.arn
+
+  container_environment = [
+    { name = "AB2D_DB_HOST", value = local.ab2d_db_host },
+    { name = "AB2D_DB_PORT", value = "5432" },
+    { name = "AB2D_DB_SSL_MODE", value = "require" },
+    { name = "AB2D_EXECUTION_ENV", value = local.benv },
+    { name = "AWS_SQS_FEATURE_FLAG", value = "true" }, #FIXME: is this even used?
+    { name = "AWS_SQS_URL", value = local.events_sqs_url },
+    { name = "IMAGE_VERSION", value = local.events_image_tag } #FIXME: is this even used?
+  ]
+
+  container_secrets = [
+    { name = "AB2D_DB_DATABASE", valueFrom = local.db_database_arn },
+    { name = "AB2D_DB_PASSWORD", valueFrom = local.db_password_arn },
+    { name = "AB2D_DB_USER", valueFrom = local.db_user_arn },
+    { name = "AB2D_KEYSTORE_LOCATION", valueFrom = local.ab2d_keystore_location_arn }, #FIXME: is this even used?
+    { name = "AB2D_KEYSTORE_PASSWORD", valueFrom = local.ab2d_keystore_password_arn }, #FIXME: is this even used?
+    { name = "AB2D_OKTA_JWT_ISSUER", valueFrom = local.ab2d_okta_jwt_issuer_arn },     #FIXME: is this even used?
+    { name = "AB2D_SLACK_ALERT_WEBHOOKS", valueFrom = local.ab2d_slack_alert_webhooks_arn },
+    { name = "AB2D_SLACK_TRACE_WEBHOOKS", valueFrom = local.ab2d_slack_trace_webhooks_arn }
+  ]
+
+  mount_points = [
+    {
+      "containerPath" = "/tmp",
+      "sourceVolume"  = "tmp",
+      "readOnly"      = false
     },
-    healthCheck : null
-    mountPoints = [
-      {
-        "containerPath" : "/tmp",
-        "sourceVolume" : "tmp",
-        "readOnly" : false
-      },
-      {
-        "containerPath" : "/newrelic/logs",
-        "sourceVolume" : "newrelic_logs",
-        "readOnly" : false
-      },
-      {
-        "containerPath" : "/var/log",
-        "sourceVolume" : "var_log",
-        "readOnly" : false
-      }
-    ]
-  }]))
-  # The NewRelic agent needs access to these
-  volume {
-    name = "tmp"
-  }
-  volume {
-    name = "newrelic_logs"
-  }
-  volume {
-    name = "var_log"
-  }
-}
+    {
+      "containerPath" = "/newrelic/logs",
+      "sourceVolume"  = "newrelic_logs",
+      "readOnly"      = false
+    },
+    {
+      "containerPath" = "/var/log",
+      "sourceVolume"  = "var_log",
+      "readOnly"      = false
+    }
+  ]
 
-resource "aws_ecs_service" "events" {
-  name                 = "${local.service_prefix}-events"
-  cluster              = module.cluster.this.id
-  task_definition      = aws_ecs_task_definition.events.arn
-  desired_count        = 1
-  launch_type          = "FARGATE"
-  platform_version     = "1.4.0"
-  force_new_deployment = anytrue([var.force_events_deployment, var.events_service_image_tag != null])
-  propagate_tags       = "SERVICE"
+  port_mappings = [
+    {
+      hostPort      = 8010 #FIXME is this even necessary?
+      containerPort = 8010
+      protocol      = "tcp"
+    }
+  ]
 
-  tags = {
-    service = "events"
-  }
+  volumes = [
+    {
+      configure_at_launch = false
+      name                = "tmp"
+    },
+    {
+      configure_at_launch = false
+      name                = "newrelic_logs"
+    },
+    {
+      configure_at_launch = false
+      name                = "var_log"
+    }
 
-  network_configuration {
-    subnets          = keys(module.platform.private_subnets)
-    assign_public_ip = false
-    security_groups  = [data.aws_security_group.api.id]
-  }
+  ]
 }
diff --git a/ops/services/20-microservices/moved.tf b/ops/services/20-microservices/moved.tf
new file mode 100644
index 0000000000..5706b64f14
--- /dev/null
+++ b/ops/services/20-microservices/moved.tf
@@ -0,0 +1,19 @@
+moved {
+  from = aws_ecs_task_definition.contracts
+  to   = module.contracts_service.aws_ecs_task_definition.this
+}
+
+moved {
+  from = aws_ecs_service.contracts
+  to   = module.contracts_service.aws_ecs_service.this
+}
+
+moved {
+  from = aws_ecs_task_definition.events
+  to   = module.events_service.aws_ecs_task_definition.this
+}
+
+moved {
+  from = aws_ecs_service.events
+  to   = module.events_service.aws_ecs_service.this
+}
diff --git a/ops/services/30-worker/main.tf b/ops/services/30-worker/main.tf
index 900902f375..0db7cfbbc9 100644
--- a/ops/services/30-worker/main.tf
+++ b/ops/services/30-worker/main.tf
@@ -119,129 +119,104 @@ resource "aws_security_group_rule" "efs_ingress" {
   security_group_id        = data.aws_security_group.efs.id
 }
 
+data "aws_sqs_queue" "events" {
+  name = "${local.service_prefix}-events"
+}
 
 module "cluster" {
   source   = "github.com/CMSgov/cdap//terraform/modules/cluster?ref=e06f4acfea302df22c210549effa2e91bc3eff0d"
   platform = module.platform
 }
 
-data "aws_sqs_queue" "events" {
-  name = "${local.service_prefix}-events"
-}
-
-resource "aws_ecs_task_definition" "worker" {
-  family                   = "${local.service_prefix}-${local.service}"
-  network_mode             = "awsvpc"
-  execution_role_arn       = data.aws_iam_role.worker.arn
-  task_role_arn            = data.aws_iam_role.worker.arn
-  requires_compatibilities = ["FARGATE"]
-  cpu                      = local.ecs_task_def_cpu_worker
-  memory                   = local.ecs_task_def_memory_worker
-
-  volume {
-    name = "efs"
-
-    efs_volume_configuration {
-      file_system_id     = data.aws_efs_file_system.this.id
-      root_directory     = "/"
-      transit_encryption = "ENABLED"
-      authorization_config {
-        access_point_id = data.aws_efs_access_point.this.id
-      }
+module "service" {
+  source = "github.com/CMSgov/cdap//terraform/modules/service?ref=jscott/PLT-1445"
+
+  cluster_arn                       = module.cluster.this.arn
+  cpu                               = local.ecs_task_def_cpu_worker
+  desired_count                     = local.worker_desired_instances
+  execution_role_arn                = data.aws_iam_role.worker.arn
+  force_new_deployment              = anytrue([var.force_worker_deployment, var.worker_service_image_tag != null])
+  health_check_grace_period_seconds = null
+  image                             = local.worker_image_uri
+  memory                            = local.ecs_task_def_memory_worker
+  platform                          = module.platform
+  security_groups                   = [data.aws_security_group.worker.id]
+  subnets                           = local.writer_adjacent_subnets
+  task_role_arn                     = data.aws_iam_role.worker.arn
+
+  container_environment = [
+    { name = "AB2D_BFD_INSIGHTS", value = local.bfd_insights }, #FIXME: Is this even used?
+    { name = "AB2D_BFD_KEYSTORE_LOCATION", value = local.bfd_keystore_location },
+    { name = "AB2D_BFD_URL", value = local.bfd_url },
+    { name = "AB2D_BFD_URL_V3", value = local.bfd_url_v3 },
+    { name = "AB2D_DB_HOST", value = local.ab2d_db_host },
+    { name = "AB2D_DB_PORT", value = "5432" },
+    { name = "AB2D_DB_SSL_MODE", value = "require" },
+    { name = "AB2D_EFS_MOUNT", value = local.ab2d_efs_mount },
+    { name = "AB2D_EXECUTION_ENV", value = local.benv },
+    { name = "AB2D_JOB_POOL_CORE_SIZE", value = local.max_concurrent_eob_jobs },
+    { name = "AB2D_JOB_POOL_MAX_SIZE", value = local.max_concurrent_eob_jobs },
+    { name = "AWS_SQS_FEATURE_FLAG", value = "true" }, #FIXME: Is this even used?
+    { name = "AWS_SQS_URL", value = data.aws_sqs_queue.events.url },
+    { name = "AWS_SNS_TOPIC_PREFIX", value = "ab2d-${local.parent_env}" },
+    { name = "IMAGE_VERSION", value = local.worker_image_tag },
+    { name = "NEW_RELIC_APP_NAME", value = local.new_relic_app_name },
+    { name = "MICROSERVICES_URL", value = local.microservices_url }
+  ]
+
+  container_secrets = [
+    { name = "AB2D_BFD_KEYSTORE_BASE64", valueFrom = local.bfd_keystore_base64_arn },
+    { name = "AB2D_BFD_KEYSTORE_PASSWORD", valueFrom = local.bfd_keystore_password_arn },
+    { name = "AB2D_DB_DATABASE", valueFrom = local.db_name_arn },
+    { name = "AB2D_DB_PASSWORD", valueFrom = local.db_password_arn },
+    { name = "AB2D_DB_USER", valueFrom = local.db_username_arn },
+    { name = "AB2D_SLACK_ALERT_WEBHOOKS", valueFrom = local.slack_alert_webhooks_arn }, #FIXME: Is this even used?
+    { name = "AB2D_SLACK_TRACE_WEBHOOKS", valueFrom = local.slack_trace_webhooks_arn }, #FIXME: Is this even used?
+    { name = "NEW_RELIC_LICENSE_KEY", valueFrom = local.new_relic_license_key_arn }     #FIXME: Is this even used?
+  ]
+
+  mount_points = [
+    {
+      containerPath = local.ab2d_efs_mount,
+      sourceVolume  = "efs"
+    },
+    {
+      "containerPath" = "/tmp",
+      "sourceVolume"  = "tmp",
+      "readOnly"      = false
+    },
+    {
+      "containerPath" = "/newrelic/logs",
+      "sourceVolume"  = "newrelic_logs",
+      "readOnly"      = false
+    },
+    {
+      "containerPath" = "/var/log",
+      "sourceVolume"  = "var_logs",
+      "readOnly"      = false
     }
-  }
-
-  container_definitions = nonsensitive(jsonencode([{
-    name : local.service,
-    image : local.worker_image_uri,
-    readonlyRootFilesystem = true
-    essential : true,
-    mountPoints : [
-      {
-        containerPath : local.ab2d_efs_mount,
-        sourceVolume : "efs"
-      },
-      {
-        "containerPath" : "/tmp",
-        "sourceVolume" : "tmp",
-        "readOnly" : false
-      },
-      {
-        "containerPath" : "/newrelic/logs",
-        "sourceVolume" : "newrelic_logs",
-        "readOnly" : false
-      },
-      {
-        "containerPath" : "/var/log",
-        "sourceVolume" : "var_logs",
-        "readOnly" : false
-      },
-    ],
-    secrets : [
-      { name : "AB2D_BFD_KEYSTORE_PASSWORD", valueFrom : local.bfd_keystore_password_arn },
-      { name : "AB2D_BFD_KEYSTORE_BASE64", valueFrom : local.bfd_keystore_base64_arn },
-      { name : "AB2D_BFD_TRUSTSTORE_CERT", valueFrom : local.bfd_server_public_cert_arn },
-      { name : "AB2D_DB_DATABASE", valueFrom : local.db_name_arn },
-      { name : "AB2D_DB_PASSWORD", valueFrom : local.db_password_arn },
-      { name : "AB2D_DB_USER", valueFrom : local.db_username_arn },
-      { name : "AB2D_SLACK_ALERT_WEBHOOKS", valueFrom : local.slack_alert_webhooks_arn }, #FIXME: Is this even used?
-      { name : "AB2D_SLACK_TRACE_WEBHOOKS", valueFrom : local.slack_trace_webhooks_arn }, #FIXME: Is this even used?
-      { name : "NEW_RELIC_LICENSE_KEY", valueFrom : local.new_relic_license_key_arn }     #FIXME: Is this even used?
-    ]
-    environment : [
-      { name : "AB2D_BFD_INSIGHTS", value : local.bfd_insights }, #FIXME: Is this even used?
-      { name : "AB2D_BFD_KEYSTORE_LOCATION", value : local.bfd_keystore_location },
-      { name : "AB2D_BFD_URL", value : local.bfd_url },
-      { name : "AB2D_BFD_URL_V3", value : local.bfd_url_v3 },
-      { name : "AB2D_DB_HOST", value : local.ab2d_db_host },
-      { name : "AB2D_DB_PORT", value : "5432" },
-      { name : "AB2D_DB_SSL_MODE", value : "require" },
-      { name : "AB2D_EFS_MOUNT", value : local.ab2d_efs_mount },
-      { name : "AB2D_EXECUTION_ENV", value : local.benv },
-      { name : "AB2D_JOB_POOL_CORE_SIZE", value : local.max_concurrent_eob_jobs },
-      { name : "AB2D_JOB_POOL_MAX_SIZE", value : local.max_concurrent_eob_jobs },
-      { name : "AWS_SQS_FEATURE_FLAG", value : "true" }, #FIXME: Is this even used?
-      { name : "AWS_SQS_URL", value : data.aws_sqs_queue.events.url },
-      { name : "AWS_SNS_TOPIC_PREFIX", value : "ab2d-${local.parent_env}" },
-      { name : "IMAGE_VERSION", value : local.worker_image_tag },
-      { name : "NEW_RELIC_APP_NAME", value : local.new_relic_app_name },
-      { name : "MICROSERVICES_URL", value : local.microservices_url },
-    ],
-    logConfiguration : {
-      logDriver : "awslogs"
-      options : {
-        awslogs-group : "/aws/ecs/fargate/${local.service_prefix}/${local.service}",
-        awslogs-create-group : "true",
-        awslogs-region : local.aws_region,
-        awslogs-stream-prefix : local.service_prefix
+  ]
+
+  volumes = [
+    {
+      name = "efs"
+      efs_volume_configuration = {
+        file_system_id     = data.aws_efs_file_system.this.id
+        root_directory     = "/"
+        transit_encryption = "ENABLED"
+        authorization_config = {
+          access_point_id = data.aws_efs_access_point.this.id
+        }
       }
     },
-    healthCheck : null
-  }]))
-  volume {
-    name = "tmp"
-  }
-  volume {
-    name = "newrelic_logs"
-  }
-  volume {
-    name = "var_logs"
-  }
-}
-
-resource "aws_ecs_service" "worker" {
-  name                               = "${local.service_prefix}-${local.service}"
-  cluster                            = module.cluster.this.id
-  task_definition                    = coalesce(var.override_task_definition_arn, aws_ecs_task_definition.worker.arn)
-  launch_type                        = "FARGATE"
-  desired_count                      = local.worker_desired_instances
-  force_new_deployment               = anytrue([var.force_worker_deployment, var.worker_service_image_tag != null])
-  deployment_minimum_healthy_percent = 100
-  propagate_tags                     = "SERVICE"
-
-  network_configuration {
-    subnets          = local.writer_adjacent_subnets
-    assign_public_ip = false
-    security_groups  = [data.aws_security_group.worker.id]
-  }
+    {
+      name = "tmp"
+    },
+    {
+      name = "newrelic_logs"
+    },
+    {
+      name = "var_logs"
+    }
+  ]
 }
diff --git a/ops/services/30-worker/moved.tf b/ops/services/30-worker/moved.tf
new file mode 100644
index 0000000000..416e8b2b62
--- /dev/null
+++ b/ops/services/30-worker/moved.tf
@@ -0,0 +1,9 @@
+moved {
+  from = aws_ecs_task_definition.worker
+  to   = module.service.aws_ecs_task_definition.this
+}
+
+moved {
+  from = aws_ecs_service.worker
+  to   = module.service.aws_ecs_service.this
+}