diff --git a/.github/actions/terraform/action.yml b/.github/actions/terraform/action.yml
index 7ab43aade..e93b97d11 100644
--- a/.github/actions/terraform/action.yml
+++ b/.github/actions/terraform/action.yml
@@ -4,13 +4,16 @@ inputs:
   command:
     description: "Terraform command to run"
     required: true
+  account:
+    description: "AWS account name"
+    required: true
   workspace:
     description: "Terraform workspace name"
     required: true
-  account-wide:
-    description: "If account-wide then specify 'account_wide'"
-    required: false
-    default: "non_account_wide"
+  scope:
+    description: "Terraform scope"
+    required: true
+    default: "per_workspace"
   cache-suffix:
     description: "[Optional] Cache suffix (e.g. 'base')"
     required: false
@@ -32,7 +35,7 @@ runs:
   steps:
     - uses: ./.github/actions/make/
       with:
-        command: terraform--${{ inputs.command }} TERRAFORM_WORKSPACE="${{ inputs.workspace }}" ACCOUNT_WIDE="${{ inputs.account-wide }}" PARAMETER_DEPLOY="${{ inputs.parameter-deploy }}"
+        command: terraform--${{ inputs.command }} AWS_ACCOUNT="${{ inputs.account }}" TERRAFORM_WORKSPACE="${{ inputs.workspace }}" TERRAFORM_SCOPE="${{ inputs.scope }}"
         requires-aws: true
         restore-from-cache: ${{ inputs.restore-from-cache }}
         save-to-cache: ${{ inputs.save-to-cache }}
diff --git a/.github/workflows/_deploy.yml b/.github/workflows/_deploy.yml
index 99bef4642..92bdb33f2 100644
--- a/.github/workflows/_deploy.yml
+++ b/.github/workflows/_deploy.yml
@@ -1,18 +1,18 @@
 on:
   workflow_call:
     inputs:
-      workspace:
-        required: true
-        default: dev
+      account:
+        description: The AWS account being deployed
         type: string
-      parameter-deploy:
-        required: false
+        required: true
+      workspace:
+        description: The Terraform workspace being deployed
         type: string
-        default: ""
-      account-wide:
-        required: false
+        required: true
+      scope:
+        description: The Terraform scope being deployed
         type: string
-        default: "non_account_wide"
+        required: true
 
 permissions:
   id-token: write
@@ -20,11 +20,10 @@ permissions:
   actions: write
 
 env:
-  RUNNING_IN_CI: 1
+  ACCOUNT: ${{ inputs.account }}
   WORKSPACE: ${{ inputs.workspace }}
-  CACHE_NAME: ${{ inputs.workspace }}-cache
-  PARAMETER_DEPLOY: ${{ inputs.parameter-deploy }}
-  ACCOUNT_WIDE: ${{ inputs.account-wide }}
+  CACHE_NAME: ${{ inputs.workspace }}-${{ inputs.account }}-${{ inputs.scope }}
+  SCOPE: ${{ inputs.scope }}
   # SLACK_WEBHOOK_URL: ${{ secrets.DEPLOY_ENV_SLACK_HOOK_URL }}
   CI_ROLE_NAME: ${{ secrets.CI_ROLE_NAME }}
 
@@ -61,6 +60,7 @@ jobs:
           command: build
           save-to-cache: "true"
           restore-from-cache: "false"
+          cache-suffix: ${{ env.CACHE_NAME }}
 
   helpers--truststore-pull:
     needs: [get-branch-from-workflow-file, build]
@@ -83,11 +83,12 @@ jobs:
       - uses: ./.github/actions/terraform/
         with:
           command: init
+          account: ${{ env.ACCOUNT }}
           workspace: ${{ env.WORKSPACE }}
-          account-wide: ${{ env.ACCOUNT_WIDE }}
-          parameter-deploy: ${{ env.PARAMETER_DEPLOY }}
+          scope: ${{ env.SCOPE }}
           restore-from-cache: "true"
           save-to-cache: "true"
+          cache-suffix: ${{ env.CACHE_NAME }}
 
   terraform--plan:
     needs: [get-branch-from-workflow-file, terraform--init]
@@ -99,11 +100,12 @@ jobs:
       - uses: ./.github/actions/terraform/
         with:
           command: plan
+          account: ${{ env.ACCOUNT }}
           workspace: ${{ env.WORKSPACE }}
-          account-wide: ${{ env.ACCOUNT_WIDE }}
-          parameter-deploy: ${{ env.PARAMETER_DEPLOY }}
+          scope: ${{ env.SCOPE }}
           restore-from-cache: "true"
           save-to-cache: "true"
+          cache-suffix: ${{ env.CACHE_NAME }}
 
   terraform--apply:
     needs: [get-branch-from-workflow-file, terraform--plan]
@@ -115,11 +117,12 @@ jobs:
       - uses: ./.github/actions/terraform/
         with:
           command: apply
+          account: ${{ env.ACCOUNT }}
           workspace: ${{ env.WORKSPACE }}
-          account-wide: ${{ env.ACCOUNT_WIDE }}
-          parameter-deploy: ${{ env.PARAMETER_DEPLOY }}
+          scope: ${{ env.SCOPE }}
           restore-from-cache: "true"
           save-to-cache: "true"
+          cache-suffix: ${{ env.CACHE_NAME }}
 
   test--smoke:
     needs: [get-branch-from-workflow-file, terraform--apply]
@@ -146,7 +149,7 @@ jobs:
   message-slack:
     name: Notify slack of deployment
     needs: [get-branch-from-workflow-file, set-success]
-    if: ${{ always() }}
+    if: always()
     runs-on: [self-hosted, ci]
 
     steps:
@@ -156,7 +159,10 @@ jobs:
         with:
           payload: |
             {
+              "account": "${{ env.ACCOUNT }}",
               "environment": "${{ env.WORKSPACE }}",
               "result": "${{ needs.set-success.outputs.success && needs.set-success.outputs.success || 'failed' }}",
               "branch": "${{ needs.get-branch-from-workflow-file.outputs.branch_name }}"
             }
+        env:
+          SLACK_WEBHOOK_URL: ${{ secrets.DEPLOY_ENV_SLACK_HOOK_URL }}
diff --git a/.github/workflows/deploy-account-wide-resources-prod.yml b/.github/workflows/deploy-account-wide-resources-prod.yml
index de609d4d5..6e04369fb 100644
--- a/.github/workflows/deploy-account-wide-resources-prod.yml
+++ b/.github/workflows/deploy-account-wide-resources-prod.yml
@@ -1,4 +1,4 @@
-name: "Deploy: Account Wide Resources - Production"
+name: "Deploy: Account Wide - Production"
 
 on:
   workflow_dispatch:
@@ -7,6 +7,7 @@ jobs:
   deploy:
     uses: ./.github/workflows/_deploy.yml
     with:
+      account: prod
       workspace: prod
-      account-wide: account_wide
+      scope: per_account/prod
     secrets: inherit # pragma: allowlist secret
diff --git a/.github/workflows/deploy-account-wide-resources.yml b/.github/workflows/deploy-account-wide-resources.yml
index f0c3e71a4..0d5502d38 100644
--- a/.github/workflows/deploy-account-wide-resources.yml
+++ b/.github/workflows/deploy-account-wide-resources.yml
@@ -1,21 +1,23 @@
-name: "Deploy: Account Wide Resources - Nonprod"
+name: "Deploy: Account Wide - Nonprod"
 
 on:
   workflow_dispatch:
     inputs:
-      workspace:
-        description: Account to deploy to
+      account:
+        description: Account to deploy
         required: true
         default: dev
         type: choice
         options:
           - dev
-          - ref
+          - qa
           - int
+          - ref
 jobs:
   deploy:
     uses: ./.github/workflows/_deploy.yml
     with:
-      workspace: ${{ inputs.workspace }}
-      account-wide: account_wide
+      account: ${{ inputs.account }}
+      workspace: ${{ inputs.account }}
+      scope: "per_account/${{ inputs.account }}"
     secrets: inherit # pragma: allowlist secret
diff --git a/.github/workflows/deploy-nonprod-workspace.yml b/.github/workflows/deploy-nonprod-workspace.yml
index bd8c5227b..6b3ca34e7 100644
--- a/.github/workflows/deploy-nonprod-workspace.yml
+++ b/.github/workflows/deploy-nonprod-workspace.yml
@@ -3,23 +3,26 @@ name: "Deploy: Workspace - Nonprod"
 on:
   workflow_dispatch:
     inputs:
-      workspace:
-        description: Workspace to deploy to
+      account:
+        description: Account to deploy
         required: true
         default: dev
         type: choice
         options:
           - dev
-          - dev-sandbox
-          - ref
-          - ref-sandbox
+          - qa
           - int
-          - int-sandbox
+          - ref
+      sandbox:
+        description: Do you want to deploy the sandbox version?
+        type: boolean
+        default: false
 
 jobs:
   deploy:
     uses: ./.github/workflows/_deploy.yml
     with:
-      workspace: ${{ inputs.workspace }}
-      account-wide: non_account_wide
+      account: ${{ inputs.account }}
+      workspace: ${{ inputs.account }}${{ inputs.sandbox == 'true' && '-sandbox' || '' }}
+      scope: "per_workspace"
     secrets: inherit # pragma: allowlist secret
diff --git a/.github/workflows/deploy-parameters-nonprod.yml b/.github/workflows/deploy-parameters-nonprod.yml
index f35943ecc..3cfa75f95 100644
--- a/.github/workflows/deploy-parameters-nonprod.yml
+++ b/.github/workflows/deploy-parameters-nonprod.yml
@@ -3,21 +3,22 @@ name: "Deploy: Parameters - Nonprod"
 on:
   workflow_dispatch:
     inputs:
-      workspace:
-        description: Workspace to deploy to
+      account:
+        description: Account to deploy
         required: true
         default: dev
         type: choice
         options:
           - dev
-          - ref
+          - qa
           - int
+          - ref
 
 jobs:
   deploy:
     uses: ./.github/workflows/_deploy.yml
     with:
-      workspace: ${{ inputs.workspace }}
-      parameter-deploy: "parameter_deploy"
-      account-wide: "account_wide"
+      account: ${{ inputs.account }}
+      workspace: ${{ inputs.account }}
+      scope: "per_account/${{ inputs.account }}/parameters"
     secrets: inherit # pragma: allowlist secret
diff --git a/.github/workflows/deploy-parameters-prod.yml b/.github/workflows/deploy-parameters-prod.yml
index e83a02648..162a637be 100644
--- a/.github/workflows/deploy-parameters-prod.yml
+++ b/.github/workflows/deploy-parameters-prod.yml
@@ -7,7 +7,7 @@ jobs:
   deploy:
     uses: ./.github/workflows/_deploy.yml
     with:
+      account: prod
       workspace: prod
-      parameter-deploy: "parameter_deploy"
-      account-wide: "account_wide"
+      scope: per_account/prod/parameters
     secrets: inherit # pragma: allowlist secret
diff --git a/.github/workflows/deploy-prod-workspace.yml b/.github/workflows/deploy-prod-workspace.yml
index 9e2ad624d..d8211653d 100644
--- a/.github/workflows/deploy-prod-workspace.yml
+++ b/.github/workflows/deploy-prod-workspace.yml
@@ -7,6 +7,7 @@ jobs:
   deploy:
     uses: ./.github/workflows/_deploy.yml
     with:
+      account: prod
       workspace: prod
-      account-wide: non_account_wide
+      scope: per_workspace
     secrets: inherit # pragma: allowlist secret
diff --git a/.github/workflows/destroy-expired-workspaces.yml b/.github/workflows/destroy-expired-workspaces.yml
index c094d64c8..efac9bcd5 100644
--- a/.github/workflows/destroy-expired-workspaces.yml
+++ b/.github/workflows/destroy-expired-workspaces.yml
@@ -14,7 +14,6 @@ env:
   AWS_DEFAULT_REGION: eu-west-2
   TF_CLI_ARGS: -no-color
   CI_ROLE_NAME: ${{ secrets.CI_ROLE_NAME }}
-  RUNNING_IN_CI: 1
   BRANCH_NAME: ${{ github.ref_name }}
 
 jobs:
diff --git a/.github/workflows/pull-requests.yml b/.github/workflows/pull-requests.yml
index d30ac770c..2f6063fc6 100644
--- a/.github/workflows/pull-requests.yml
+++ b/.github/workflows/pull-requests.yml
@@ -12,7 +12,6 @@ env:
   BASE_BRANCH_NAME: ${{ github.event.pull_request.base.ref }}
   BRANCH_NAME: ${{ github.event.pull_request.head.ref }}
   CI_ROLE_NAME: ${{ secrets.CI_ROLE_NAME }}
-  RUNNING_IN_CI: 1
   BRANCH_GITHUB_SHA_SHORT: $(echo ${{ github.event.pull_request.head.sha }} | cut -c 1-7)
   TF_CLI_ARGS: -no-color
 
@@ -136,7 +135,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
         with:
-          ref: ${{ env.BASE_BRANCH_NAME }}
+          ref: ${{ env.BRANCH_NAME }} # ${{ env.BASE_BRANCH_NAME }}
       - uses: ./.github/actions/terraform/
         with:
           command: plan
diff --git a/infrastructure/terraform/etc/int.tfvars b/infrastructure/terraform/etc/int.tfvars
new file mode 100644
index 000000000..00e5cfa9f
--- /dev/null
+++ b/infrastructure/terraform/etc/int.tfvars
@@ -0,0 +1,2 @@
+account_name = "int"
+environment  = "int"
diff --git a/infrastructure/terraform/etc/mgmt.tfvars b/infrastructure/terraform/etc/mgmt.tfvars
new file mode 100644
index 000000000..4d3811c73
--- /dev/null
+++ b/infrastructure/terraform/etc/mgmt.tfvars
@@ -0,0 +1,2 @@
+account_name = "mgmt"
+environment  = "mgmt"
diff --git a/infrastructure/terraform/etc/prod.tfvars b/infrastructure/terraform/etc/prod.tfvars
new file mode 100644
index 000000000..41c154639
--- /dev/null
+++ b/infrastructure/terraform/etc/prod.tfvars
@@ -0,0 +1,2 @@
+account_name = "prod"
+environment  = "prod"
diff --git a/infrastructure/terraform/etc/qa.tfvars b/infrastructure/terraform/etc/qa.tfvars
new file mode 100644
index 000000000..214c55063
--- /dev/null
+++ b/infrastructure/terraform/etc/qa.tfvars
@@ -0,0 +1,2 @@
+account_name = "qa"
+environment  = "qa"
diff --git a/infrastructure/terraform/etc/ref.tfvars b/infrastructure/terraform/etc/ref.tfvars
new file mode 100644
index 000000000..718f4c6da
--- /dev/null
+++ b/infrastructure/terraform/etc/ref.tfvars
@@ -0,0 +1,2 @@
+account_name = "ref"
+environment  = "ref"
diff --git a/infrastructure/terraform/per_account/dev/parameters/main.tf b/infrastructure/terraform/per_account/dev/parameters/main.tf
index 899e1c196..ea3b458e3 100644
--- a/infrastructure/terraform/per_account/dev/parameters/main.tf
+++ b/infrastructure/terraform/per_account/dev/parameters/main.tf
@@ -27,6 +27,6 @@ JSON
   }
 }
 
-resource "aws_secretsmanager_secret" "dev-apigee-credentials" {
+resource "aws_secretsmanager_secret" "apigee-credentials" {
   name = "${terraform.workspace}-apigee-credentials"
 }
diff --git a/infrastructure/terraform/per_account/dev/vars.tf b/infrastructure/terraform/per_account/dev/vars.tf
index 6baf3dcb2..5211b6e94 100644
--- a/infrastructure/terraform/per_account/dev/vars.tf
+++ b/infrastructure/terraform/per_account/dev/vars.tf
@@ -17,3 +17,7 @@ variable "expiration_date" {
 variable "updated_date" {
   default = "NEVER"
 }
+
+variable "workspace_type" {
+  default = "PERSISTENT"
+}
diff --git a/infrastructure/terraform/per_account/int/locals.tf b/infrastructure/terraform/per_account/int/locals.tf
new file mode 100644
index 000000000..9d2eefbf5
--- /dev/null
+++ b/infrastructure/terraform/per_account/int/locals.tf
@@ -0,0 +1,5 @@
+locals {
+  region       = "eu-west-2"
+  project      = "nhse-cpm"
+  current_time = timestamp()
+}
diff --git a/infrastructure/terraform/per_account/int/main.tf b/infrastructure/terraform/per_account/int/main.tf
new file mode 100644
index 000000000..dd97616dc
--- /dev/null
+++ b/infrastructure/terraform/per_account/int/main.tf
@@ -0,0 +1,33 @@
+resource "aws_resourcegroups_group" "resource_group" {
+  name        = "${local.project}--${replace(terraform.workspace, "_", "-")}--account-wide-resource-group"
+  description = "PERSISTENT ${upper(terraform.workspace)} account-wide resource group."
+  tags = {
+    Name           = "${local.project}--${replace(terraform.workspace, "_", "-")}--account-wide-resource-group"
+    CreatedOn      = var.updated_date
+    LastUpdated    = var.updated_date
+    ExpirationDate = var.expiration_date
+  }
+
+  lifecycle {
+    ignore_changes = [tags["CreatedOn"]]
+  }
+
+  resource_query {
+    query = <<JSON
+{
+  "ResourceTypeFilters": ["AWS::AllSupported"],
+  "TagFilters": [
+    {
+      "Key": "Workspace",
+      "Values": ["${replace(terraform.workspace, "_", "-")}-account-wide"]
+    }
+  ]
+}
+JSON
+  }
+}
+
+module "iam__api-gateway-to-cloudwatch" {
+  source  = "../modules/iam__api-gateway-to-cloudwatch"
+  project = local.project
+}
diff --git a/infrastructure/terraform/per_account/int/parameters/locals.tf b/infrastructure/terraform/per_account/int/parameters/locals.tf
new file mode 100644
index 000000000..9d2eefbf5
--- /dev/null
+++ b/infrastructure/terraform/per_account/int/parameters/locals.tf
@@ -0,0 +1,5 @@
+locals {
+  region       = "eu-west-2"
+  project      = "nhse-cpm"
+  current_time = timestamp()
+}
diff --git a/infrastructure/terraform/per_account/int/parameters/main.tf b/infrastructure/terraform/per_account/int/parameters/main.tf
new file mode 100644
index 000000000..ea3b458e3
--- /dev/null
+++ b/infrastructure/terraform/per_account/int/parameters/main.tf
@@ -0,0 +1,32 @@
+resource "aws_resourcegroups_group" "resource_group" {
+  name        = "${local.project}--${replace(terraform.workspace, "_", "-")}--parameter-resource-group"
+  description = "${var.workspace_type} ${upper(terraform.workspace)} parameter resource group."
+  tags = {
+    Name           = "${local.project}--${replace(terraform.workspace, "_", "-")}--parameter-resource-group"
+    CreatedOn      = var.updated_date
+    LastUpdated    = var.updated_date
+    ExpirationDate = var.expiration_date
+  }
+
+  lifecycle {
+    ignore_changes = [tags["CreatedOn"]]
+  }
+
+  resource_query {
+    query = <<JSON
+{
+  "ResourceTypeFilters": ["AWS::AllSupported"],
+  "TagFilters": [
+    {
+      "Key": "Workspace",
+      "Values": ["${replace(terraform.workspace, "_", "-")}-parameters"]
+    }
+  ]
+}
+JSON
+  }
+}
+
+resource "aws_secretsmanager_secret" "apigee-credentials" {
+  name = "${terraform.workspace}-apigee-credentials"
+}
diff --git a/infrastructure/terraform/per_account/int/parameters/provider.tf b/infrastructure/terraform/per_account/int/parameters/provider.tf
new file mode 100644
index 000000000..7d8a50a58
--- /dev/null
+++ b/infrastructure/terraform/per_account/int/parameters/provider.tf
@@ -0,0 +1,20 @@
+provider "aws" {
+  region = local.region
+
+  assume_role {
+    role_arn = "arn:aws:iam::${var.assume_account}:role/${var.assume_role}"
+  }
+
+  default_tags {
+    tags = {
+      Environment      = var.environment
+      Workspace        = "${replace(terraform.workspace, "_", "-")}-parameters"
+      Project          = local.project
+      Name             = "${local.project}--${replace(terraform.workspace, "_", "-")}-secrets"
+      Owner            = "NHSE"
+      ProjectShortName = "CPM"
+      ProjectFullname  = "Connecting Party Manager"
+      WorkspaceType    = var.workspace_type
+    }
+  }
+}
diff --git a/infrastructure/terraform/per_account/int/parameters/terraform.tf b/infrastructure/terraform/per_account/int/parameters/terraform.tf
new file mode 100644
index 000000000..bf8cd57d0
--- /dev/null
+++ b/infrastructure/terraform/per_account/int/parameters/terraform.tf
@@ -0,0 +1,17 @@
+terraform {
+  backend "s3" {
+    encrypt              = false
+    region               = "eu-west-2"
+    bucket               = "nhse-cpm--terraform-state-v1.0.0"
+    dynamodb_table       = "nhse-cpm--terraform-state-lock-v1.0.0"
+    key                  = "terraform-state-account-secrets"
+    workspace_key_prefix = "nhse-cpm"
+  }
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.20.0"
+    }
+  }
+}
diff --git a/infrastructure/terraform/per_account/int/parameters/vars.tf b/infrastructure/terraform/per_account/int/parameters/vars.tf
new file mode 100644
index 000000000..8b585d3c0
--- /dev/null
+++ b/infrastructure/terraform/per_account/int/parameters/vars.tf
@@ -0,0 +1,29 @@
+variable "account_name" {
+  type = string
+}
+
+variable "assume_account" {
+  sensitive = true
+}
+
+variable "assume_role" {}
+
+variable "environment" {}
+
+variable "deletion_protection_enabled" {
+  type    = bool
+  default = false
+}
+
+variable "expiration_date" {
+  default = "NEVER"
+}
+
+variable "updated_date" {
+  default = "NEVER"
+}
+
+variable "workspace_type" {
+  type    = string
+  default = "PERSISTENT"
+}
diff --git a/infrastructure/terraform/per_account/int/provider.tf b/infrastructure/terraform/per_account/int/provider.tf
new file mode 100644
index 000000000..aa11ecde0
--- /dev/null
+++ b/infrastructure/terraform/per_account/int/provider.tf
@@ -0,0 +1,20 @@
+provider "aws" {
+  region = local.region
+
+  assume_role {
+    role_arn = "arn:aws:iam::${var.assume_account}:role/${var.assume_role}"
+  }
+
+  default_tags {
+    tags = {
+      Environment      = var.environment
+      Workspace        = "${replace(terraform.workspace, "_", "-")}-account-wide"
+      Project          = local.project
+      Name             = "${local.project}--${replace(terraform.workspace, "_", "-")}--account-wide"
+      Owner            = "NHSE"
+      ProjectShortName = "CPM"
+      ProjectFullname  = "Connecting Party Manager"
+      WorkspaceType    = "PERSISTENT"
+    }
+  }
+}
diff --git a/infrastructure/terraform/per_account/int/terraform.tf b/infrastructure/terraform/per_account/int/terraform.tf
new file mode 100644
index 000000000..07024f81a
--- /dev/null
+++ b/infrastructure/terraform/per_account/int/terraform.tf
@@ -0,0 +1,18 @@
+terraform {
+  backend "s3" {
+    encrypt              = false
+    region               = "eu-west-2"
+    bucket               = "nhse-cpm--terraform-state-v1.0.0"
+    dynamodb_table       = "nhse-cpm--terraform-state-lock-v1.0.0"
+    key                  = "terraform-state-infrastructure-int-account-wide"
+    workspace_key_prefix = "nhse-cpm"
+  }
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.20.0"
+    }
+  }
+  # required_version = ">= 1.1.0"
+}
diff --git a/infrastructure/terraform/per_account/int/vars.tf b/infrastructure/terraform/per_account/int/vars.tf
new file mode 100644
index 000000000..5211b6e94
--- /dev/null
+++ b/infrastructure/terraform/per_account/int/vars.tf
@@ -0,0 +1,23 @@
+variable "account_name" {
+  type = string
+}
+
+variable "assume_account" {
+  sensitive = true
+}
+
+variable "assume_role" {}
+
+variable "environment" {}
+
+variable "expiration_date" {
+  default = "NEVER"
+}
+
+variable "updated_date" {
+  default = "NEVER"
+}
+
+variable "workspace_type" {
+  default = "PERSISTENT"
+}
diff --git a/infrastructure/terraform/per_account/prod/locals.tf b/infrastructure/terraform/per_account/prod/locals.tf
new file mode 100644
index 000000000..9d2eefbf5
--- /dev/null
+++ b/infrastructure/terraform/per_account/prod/locals.tf
@@ -0,0 +1,5 @@
+locals {
+  region       = "eu-west-2"
+  project      = "nhse-cpm"
+  current_time = timestamp()
+}
diff --git a/infrastructure/terraform/per_account/prod/main.tf b/infrastructure/terraform/per_account/prod/main.tf
new file mode 100644
index 000000000..dd97616dc
--- /dev/null
+++ b/infrastructure/terraform/per_account/prod/main.tf
@@ -0,0 +1,33 @@
+resource "aws_resourcegroups_group" "resource_group" {
+  name        = "${local.project}--${replace(terraform.workspace, "_", "-")}--account-wide-resource-group"
+  description = "PERSISTENT ${upper(terraform.workspace)} account-wide resource group."
+  tags = {
+    Name           = "${local.project}--${replace(terraform.workspace, "_", "-")}--account-wide-resource-group"
+    CreatedOn      = var.updated_date
+    LastUpdated    = var.updated_date
+    ExpirationDate = var.expiration_date
+  }
+
+  lifecycle {
+    ignore_changes = [tags["CreatedOn"]]
+  }
+
+  resource_query {
+    query = <<JSON
+{
+  "ResourceTypeFilters": ["AWS::AllSupported"],
+  "TagFilters": [
+    {
+      "Key": "Workspace",
+      "Values": ["${replace(terraform.workspace, "_", "-")}-account-wide"]
+    }
+  ]
+}
+JSON
+  }
+}
+
+module "iam__api-gateway-to-cloudwatch" {
+  source  = "../modules/iam__api-gateway-to-cloudwatch"
+  project = local.project
+}
diff --git a/infrastructure/terraform/per_account/prod/parameters/locals.tf b/infrastructure/terraform/per_account/prod/parameters/locals.tf
new file mode 100644
index 000000000..9d2eefbf5
--- /dev/null
+++ b/infrastructure/terraform/per_account/prod/parameters/locals.tf
@@ -0,0 +1,5 @@
+locals {
+  region       = "eu-west-2"
+  project      = "nhse-cpm"
+  current_time = timestamp()
+}
diff --git a/infrastructure/terraform/per_account/prod/parameters/main.tf b/infrastructure/terraform/per_account/prod/parameters/main.tf
new file mode 100644
index 000000000..ea3b458e3
--- /dev/null
+++ b/infrastructure/terraform/per_account/prod/parameters/main.tf
@@ -0,0 +1,32 @@
+resource "aws_resourcegroups_group" "resource_group" {
+  name        = "${local.project}--${replace(terraform.workspace, "_", "-")}--parameter-resource-group"
+  description = "${var.workspace_type} ${upper(terraform.workspace)} parameter resource group."
+  tags = {
+    Name           = "${local.project}--${replace(terraform.workspace, "_", "-")}--parameter-resource-group"
+    CreatedOn      = var.updated_date
+    LastUpdated    = var.updated_date
+    ExpirationDate = var.expiration_date
+  }
+
+  lifecycle {
+    ignore_changes = [tags["CreatedOn"]]
+  }
+
+  resource_query {
+    query = <<JSON
+{
+  "ResourceTypeFilters": ["AWS::AllSupported"],
+  "TagFilters": [
+    {
+      "Key": "Workspace",
+      "Values": ["${replace(terraform.workspace, "_", "-")}-parameters"]
+    }
+  ]
+}
+JSON
+  }
+}
+
+resource "aws_secretsmanager_secret" "apigee-credentials" {
+  name = "${terraform.workspace}-apigee-credentials"
+}
diff --git a/infrastructure/terraform/per_account/prod/parameters/provider.tf b/infrastructure/terraform/per_account/prod/parameters/provider.tf
new file mode 100644
index 000000000..7d8a50a58
--- /dev/null
+++ b/infrastructure/terraform/per_account/prod/parameters/provider.tf
@@ -0,0 +1,20 @@
+provider "aws" {
+  region = local.region
+
+  assume_role {
+    role_arn = "arn:aws:iam::${var.assume_account}:role/${var.assume_role}"
+  }
+
+  default_tags {
+    tags = {
+      Environment      = var.environment
+      Workspace        = "${replace(terraform.workspace, "_", "-")}-parameters"
+      Project          = local.project
+      Name             = "${local.project}--${replace(terraform.workspace, "_", "-")}-secrets"
+      Owner            = "NHSE"
+      ProjectShortName = "CPM"
+      ProjectFullname  = "Connecting Party Manager"
+      WorkspaceType    = var.workspace_type
+    }
+  }
+}
diff --git a/infrastructure/terraform/per_account/prod/parameters/terraform.tf b/infrastructure/terraform/per_account/prod/parameters/terraform.tf
new file mode 100644
index 000000000..bf8cd57d0
--- /dev/null
+++ b/infrastructure/terraform/per_account/prod/parameters/terraform.tf
@@ -0,0 +1,17 @@
+terraform {
+  backend "s3" {
+    encrypt              = false
+    region               = "eu-west-2"
+    bucket               = "nhse-cpm--terraform-state-v1.0.0"
+    dynamodb_table       = "nhse-cpm--terraform-state-lock-v1.0.0"
+    key                  = "terraform-state-account-secrets"
+    workspace_key_prefix = "nhse-cpm"
+  }
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.20.0"
+    }
+  }
+}
diff --git a/infrastructure/terraform/per_account/prod/parameters/vars.tf b/infrastructure/terraform/per_account/prod/parameters/vars.tf
new file mode 100644
index 000000000..8b585d3c0
--- /dev/null
+++ b/infrastructure/terraform/per_account/prod/parameters/vars.tf
@@ -0,0 +1,29 @@
+variable "account_name" {
+  type = string
+}
+
+variable "assume_account" {
+  sensitive = true
+}
+
+variable "assume_role" {}
+
+variable "environment" {}
+
+variable "deletion_protection_enabled" {
+  type    = bool
+  default = false
+}
+
+variable "expiration_date" {
+  default = "NEVER"
+}
+
+variable "updated_date" {
+  default = "NEVER"
+}
+
+variable "workspace_type" {
+  type    = string
+  default = "PERSISTENT"
+}
diff --git a/infrastructure/terraform/per_account/prod/provider.tf b/infrastructure/terraform/per_account/prod/provider.tf
new file mode 100644
index 000000000..aa11ecde0
--- /dev/null
+++ b/infrastructure/terraform/per_account/prod/provider.tf
@@ -0,0 +1,20 @@
+provider "aws" {
+  region = local.region
+
+  assume_role {
+    role_arn = "arn:aws:iam::${var.assume_account}:role/${var.assume_role}"
+  }
+
+  default_tags {
+    tags = {
+      Environment      = var.environment
+      Workspace        = "${replace(terraform.workspace, "_", "-")}-account-wide"
+      Project          = local.project
+      Name             = "${local.project}--${replace(terraform.workspace, "_", "-")}--account-wide"
+      Owner            = "NHSE"
+      ProjectShortName = "CPM"
+      ProjectFullname  = "Connecting Party Manager"
+      WorkspaceType    = "PERSISTENT"
+    }
+  }
+}
diff --git a/infrastructure/terraform/per_account/prod/terraform.tf b/infrastructure/terraform/per_account/prod/terraform.tf
new file mode 100644
index 000000000..c339885cf
--- /dev/null
+++ b/infrastructure/terraform/per_account/prod/terraform.tf
@@ -0,0 +1,18 @@
+terraform {
+  backend "s3" {
+    encrypt              = false
+    region               = "eu-west-2"
+    bucket               = "nhse-cpm--terraform-state-v1.0.0"
+    dynamodb_table       = "nhse-cpm--terraform-state-lock-v1.0.0"
+    key                  = "terraform-state-infrastructure-prod-account-wide"
+    workspace_key_prefix = "nhse-cpm"
+  }
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.20.0"
+    }
+  }
+  # required_version = ">= 1.1.0"
+}
diff --git a/infrastructure/terraform/per_account/prod/vars.tf b/infrastructure/terraform/per_account/prod/vars.tf
new file mode 100644
index 000000000..5211b6e94
--- /dev/null
+++ b/infrastructure/terraform/per_account/prod/vars.tf
@@ -0,0 +1,23 @@
+variable "account_name" {
+  type = string
+}
+
+variable "assume_account" {
+  sensitive = true
+}
+
+variable "assume_role" {}
+
+variable "environment" {}
+
+variable "expiration_date" {
+  default = "NEVER"
+}
+
+variable "updated_date" {
+  default = "NEVER"
+}
+
+variable "workspace_type" {
+  default = "PERSISTENT"
+}
diff --git a/infrastructure/terraform/per_account/qa/locals.tf b/infrastructure/terraform/per_account/qa/locals.tf
new file mode 100644
index 000000000..9d2eefbf5
--- /dev/null
+++ b/infrastructure/terraform/per_account/qa/locals.tf
@@ -0,0 +1,5 @@
+locals {
+  region       = "eu-west-2"
+  project      = "nhse-cpm"
+  current_time = timestamp()
+}
diff --git a/infrastructure/terraform/per_account/qa/main.tf b/infrastructure/terraform/per_account/qa/main.tf
new file mode 100644
index 000000000..dd97616dc
--- /dev/null
+++ b/infrastructure/terraform/per_account/qa/main.tf
@@ -0,0 +1,33 @@
+resource "aws_resourcegroups_group" "resource_group" {
+  name        = "${local.project}--${replace(terraform.workspace, "_", "-")}--account-wide-resource-group"
+  description = "PERSISTENT ${upper(terraform.workspace)} account-wide resource group."
+  tags = {
+    Name           = "${local.project}--${replace(terraform.workspace, "_", "-")}--account-wide-resource-group"
+    CreatedOn      = var.updated_date
+    LastUpdated    = var.updated_date
+    ExpirationDate = var.expiration_date
+  }
+
+  lifecycle {
+    ignore_changes = [tags["CreatedOn"]]
+  }
+
+  resource_query {
+    query = <<JSON
+{
+  "ResourceTypeFilters": ["AWS::AllSupported"],
+  "TagFilters": [
+    {
+      "Key": "Workspace",
+      "Values": ["${replace(terraform.workspace, "_", "-")}-account-wide"]
+    }
+  ]
+}
+JSON
+  }
+}
+
+module "iam__api-gateway-to-cloudwatch" {
+  source  = "../modules/iam__api-gateway-to-cloudwatch"
+  project = local.project
+}
diff --git a/infrastructure/terraform/per_account/qa/parameters/locals.tf b/infrastructure/terraform/per_account/qa/parameters/locals.tf
new file mode 100644
index 000000000..9d2eefbf5
--- /dev/null
+++ b/infrastructure/terraform/per_account/qa/parameters/locals.tf
@@ -0,0 +1,5 @@
+locals {
+  region       = "eu-west-2"
+  project      = "nhse-cpm"
+  current_time = timestamp()
+}
diff --git a/infrastructure/terraform/per_account/qa/parameters/main.tf b/infrastructure/terraform/per_account/qa/parameters/main.tf
new file mode 100644
index 000000000..ea3b458e3
--- /dev/null
+++ b/infrastructure/terraform/per_account/qa/parameters/main.tf
@@ -0,0 +1,32 @@
+resource "aws_resourcegroups_group" "resource_group" {
+  name        = "${local.project}--${replace(terraform.workspace, "_", "-")}--parameter-resource-group"
+  description = "${var.workspace_type} ${upper(terraform.workspace)} parameter resource group."
+  tags = {
+    Name           = "${local.project}--${replace(terraform.workspace, "_", "-")}--parameter-resource-group"
+    CreatedOn      = var.updated_date
+    LastUpdated    = var.updated_date
+    ExpirationDate = var.expiration_date
+  }
+
+  lifecycle {
+    ignore_changes = [tags["CreatedOn"]]
+  }
+
+  resource_query {
+    query = <<JSON
+{
+  "ResourceTypeFilters": ["AWS::AllSupported"],
+  "TagFilters": [
+    {
+      "Key": "Workspace",
+      "Values": ["${replace(terraform.workspace, "_", "-")}-parameters"]
+    }
+  ]
+}
+JSON
+  }
+}
+
+resource "aws_secretsmanager_secret" "apigee-credentials" {
+  name = "${terraform.workspace}-apigee-credentials"
+}
diff --git a/infrastructure/terraform/per_account/qa/parameters/provider.tf b/infrastructure/terraform/per_account/qa/parameters/provider.tf
new file mode 100644
index 000000000..7d8a50a58
--- /dev/null
+++ b/infrastructure/terraform/per_account/qa/parameters/provider.tf
@@ -0,0 +1,20 @@
+provider "aws" {
+  region = local.region
+
+  assume_role {
+    role_arn = "arn:aws:iam::${var.assume_account}:role/${var.assume_role}"
+  }
+
+  default_tags {
+    tags = {
+      Environment      = var.environment
+      Workspace        = "${replace(terraform.workspace, "_", "-")}-parameters"
+      Project          = local.project
+      Name             = "${local.project}--${replace(terraform.workspace, "_", "-")}-secrets"
+      Owner            = "NHSE"
+      ProjectShortName = "CPM"
+      ProjectFullname  = "Connecting Party Manager"
+      WorkspaceType    = var.workspace_type
+    }
+  }
+}
diff --git a/infrastructure/terraform/per_account/qa/parameters/terraform.tf b/infrastructure/terraform/per_account/qa/parameters/terraform.tf
new file mode 100644
index 000000000..bf8cd57d0
--- /dev/null
+++ b/infrastructure/terraform/per_account/qa/parameters/terraform.tf
@@ -0,0 +1,17 @@
+terraform {
+  backend "s3" {
+    encrypt              = false
+    region               = "eu-west-2"
+    bucket               = "nhse-cpm--terraform-state-v1.0.0"
+    dynamodb_table       = "nhse-cpm--terraform-state-lock-v1.0.0"
+    key                  = "terraform-state-account-secrets"
+    workspace_key_prefix = "nhse-cpm"
+  }
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.20.0"
+    }
+  }
+}
diff --git a/infrastructure/terraform/per_account/qa/parameters/vars.tf b/infrastructure/terraform/per_account/qa/parameters/vars.tf
new file mode 100644
index 000000000..8b585d3c0
--- /dev/null
+++ b/infrastructure/terraform/per_account/qa/parameters/vars.tf
@@ -0,0 +1,29 @@
+variable "account_name" {
+  type = string
+}
+
+variable "assume_account" {
+  sensitive = true
+}
+
+variable "assume_role" {}
+
+variable "environment" {}
+
+variable "deletion_protection_enabled" {
+  type    = bool
+  default = false
+}
+
+variable "expiration_date" {
+  default = "NEVER"
+}
+
+variable "updated_date" {
+  default = "NEVER"
+}
+
+variable "workspace_type" {
+  type    = string
+  default = "PERSISTENT"
+}
diff --git a/infrastructure/terraform/per_account/qa/provider.tf b/infrastructure/terraform/per_account/qa/provider.tf
new file mode 100644
index 000000000..aa11ecde0
--- /dev/null
+++ b/infrastructure/terraform/per_account/qa/provider.tf
@@ -0,0 +1,20 @@
+provider "aws" {
+  region = local.region
+
+  assume_role {
+    role_arn = "arn:aws:iam::${var.assume_account}:role/${var.assume_role}"
+  }
+
+  default_tags {
+    tags = {
+      Environment      = var.environment
+      Workspace        = "${replace(terraform.workspace, "_", "-")}-account-wide"
+      Project          = local.project
+      Name             = "${local.project}--${replace(terraform.workspace, "_", "-")}--account-wide"
+      Owner            = "NHSE"
+      ProjectShortName = "CPM"
+      ProjectFullname  = "Connecting Party Manager"
+      WorkspaceType    = "PERSISTENT"
+    }
+  }
+}
diff --git a/infrastructure/terraform/per_account/qa/terraform.tf b/infrastructure/terraform/per_account/qa/terraform.tf
new file mode 100644
index 000000000..ca947a046
--- /dev/null
+++ b/infrastructure/terraform/per_account/qa/terraform.tf
@@ -0,0 +1,18 @@
+terraform {
+  backend "s3" {
+    encrypt              = false
+    region               = "eu-west-2"
+    bucket               = "nhse-cpm--terraform-state-v1.0.0"
+    dynamodb_table       = "nhse-cpm--terraform-state-lock-v1.0.0"
+    key                  = "terraform-state-infrastructure-qa-account-wide"
+    workspace_key_prefix = "nhse-cpm"
+  }
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.20.0"
+    }
+  }
+  # required_version = ">= 1.1.0"
+}
diff --git a/infrastructure/terraform/per_account/qa/vars.tf b/infrastructure/terraform/per_account/qa/vars.tf
new file mode 100644
index 000000000..5211b6e94
--- /dev/null
+++ b/infrastructure/terraform/per_account/qa/vars.tf
@@ -0,0 +1,23 @@
+variable "account_name" {
+  type = string
+}
+
+variable "assume_account" {
+  sensitive = true
+}
+
+variable "assume_role" {}
+
+variable "environment" {}
+
+variable "expiration_date" {
+  default = "NEVER"
+}
+
+variable "updated_date" {
+  default = "NEVER"
+}
+
+variable "workspace_type" {
+  default = "PERSISTENT"
+}
diff --git a/infrastructure/terraform/per_account/ref/locals.tf b/infrastructure/terraform/per_account/ref/locals.tf
new file mode 100644
index 000000000..9d2eefbf5
--- /dev/null
+++ b/infrastructure/terraform/per_account/ref/locals.tf
@@ -0,0 +1,5 @@
+locals {
+  region       = "eu-west-2"
+  project      = "nhse-cpm"
+  current_time = timestamp()
+}
diff --git a/infrastructure/terraform/per_account/ref/main.tf b/infrastructure/terraform/per_account/ref/main.tf
new file mode 100644
index 000000000..dd97616dc
--- /dev/null
+++ b/infrastructure/terraform/per_account/ref/main.tf
@@ -0,0 +1,33 @@
+resource "aws_resourcegroups_group" "resource_group" {
+  name        = "${local.project}--${replace(terraform.workspace, "_", "-")}--account-wide-resource-group"
+  description = "PERSISTENT ${upper(terraform.workspace)} account-wide resource group."
+  tags = {
+    Name           = "${local.project}--${replace(terraform.workspace, "_", "-")}--account-wide-resource-group"
+    CreatedOn      = var.updated_date
+    LastUpdated    = var.updated_date
+    ExpirationDate = var.expiration_date
+  }
+
+  lifecycle {
+    ignore_changes = [tags["CreatedOn"]]
+  }
+
+  resource_query {
+    query = <<JSON
+{
+  "ResourceTypeFilters": ["AWS::AllSupported"],
+  "TagFilters": [
+    {
+      "Key": "Workspace",
+      "Values": ["${replace(terraform.workspace, "_", "-")}-account-wide"]
+    }
+  ]
+}
+JSON
+  }
+}
+
+module "iam__api-gateway-to-cloudwatch" {
+  source  = "../modules/iam__api-gateway-to-cloudwatch"
+  project = local.project
+}
diff --git a/infrastructure/terraform/per_account/ref/parameters/locals.tf b/infrastructure/terraform/per_account/ref/parameters/locals.tf
new file mode 100644
index 000000000..9d2eefbf5
--- /dev/null
+++ b/infrastructure/terraform/per_account/ref/parameters/locals.tf
@@ -0,0 +1,5 @@
+locals {
+  region       = "eu-west-2"
+  project      = "nhse-cpm"
+  current_time = timestamp()
+}
diff --git a/infrastructure/terraform/per_account/ref/parameters/main.tf b/infrastructure/terraform/per_account/ref/parameters/main.tf
new file mode 100644
index 000000000..ea3b458e3
--- /dev/null
+++ b/infrastructure/terraform/per_account/ref/parameters/main.tf
@@ -0,0 +1,32 @@
+resource "aws_resourcegroups_group" "resource_group" {
+  name        = "${local.project}--${replace(terraform.workspace, "_", "-")}--parameter-resource-group"
+  description = "${var.workspace_type} ${upper(terraform.workspace)} parameter resource group."
+  tags = {
+    Name           = "${local.project}--${replace(terraform.workspace, "_", "-")}--parameter-resource-group"
+    CreatedOn      = var.updated_date
+    LastUpdated    = var.updated_date
+    ExpirationDate = var.expiration_date
+  }
+
+  lifecycle {
+    ignore_changes = [tags["CreatedOn"]]
+  }
+
+  resource_query {
+    query = <<JSON
+{
+  "ResourceTypeFilters": ["AWS::AllSupported"],
+  "TagFilters": [
+    {
+      "Key": "Workspace",
+      "Values": ["${replace(terraform.workspace, "_", "-")}-parameters"]
+    }
+  ]
+}
+JSON
+  }
+}
+
+resource "aws_secretsmanager_secret" "apigee-credentials" {
+  name = "${terraform.workspace}-apigee-credentials"
+}
diff --git a/infrastructure/terraform/per_account/ref/parameters/provider.tf b/infrastructure/terraform/per_account/ref/parameters/provider.tf
new file mode 100644
index 000000000..7d8a50a58
--- /dev/null
+++ b/infrastructure/terraform/per_account/ref/parameters/provider.tf
@@ -0,0 +1,20 @@
+provider "aws" {
+  region = local.region
+
+  assume_role {
+    role_arn = "arn:aws:iam::${var.assume_account}:role/${var.assume_role}"
+  }
+
+  default_tags {
+    tags = {
+      Environment      = var.environment
+      Workspace        = "${replace(terraform.workspace, "_", "-")}-parameters"
+      Project          = local.project
+      Name             = "${local.project}--${replace(terraform.workspace, "_", "-")}-secrets"
+      Owner            = "NHSE"
+      ProjectShortName = "CPM"
+      ProjectFullname  = "Connecting Party Manager"
+      WorkspaceType    = var.workspace_type
+    }
+  }
+}
diff --git a/infrastructure/terraform/per_account/ref/parameters/terraform.tf b/infrastructure/terraform/per_account/ref/parameters/terraform.tf
new file mode 100644
index 000000000..bf8cd57d0
--- /dev/null
+++ b/infrastructure/terraform/per_account/ref/parameters/terraform.tf
@@ -0,0 +1,17 @@
+terraform {
+  backend "s3" {
+    encrypt              = false
+    region               = "eu-west-2"
+    bucket               = "nhse-cpm--terraform-state-v1.0.0"
+    dynamodb_table       = "nhse-cpm--terraform-state-lock-v1.0.0"
+    key                  = "terraform-state-account-secrets"
+    workspace_key_prefix = "nhse-cpm"
+  }
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.20.0"
+    }
+  }
+}
diff --git a/infrastructure/terraform/per_account/ref/parameters/vars.tf b/infrastructure/terraform/per_account/ref/parameters/vars.tf
new file mode 100644
index 000000000..8b585d3c0
--- /dev/null
+++ b/infrastructure/terraform/per_account/ref/parameters/vars.tf
@@ -0,0 +1,29 @@
+variable "account_name" {
+  type = string
+}
+
+variable "assume_account" {
+  sensitive = true
+}
+
+variable "assume_role" {}
+
+variable "environment" {}
+
+variable "deletion_protection_enabled" {
+  type    = bool
+  default = false
+}
+
+variable "expiration_date" {
+  default = "NEVER"
+}
+
+variable "updated_date" {
+  default = "NEVER"
+}
+
+variable "workspace_type" {
+  type    = string
+  default = "PERSISTENT"
+}
diff --git a/infrastructure/terraform/per_account/ref/provider.tf b/infrastructure/terraform/per_account/ref/provider.tf
new file mode 100644
index 000000000..aa11ecde0
--- /dev/null
+++ b/infrastructure/terraform/per_account/ref/provider.tf
@@ -0,0 +1,20 @@
+provider "aws" {
+  region = local.region
+
+  assume_role {
+    role_arn = "arn:aws:iam::${var.assume_account}:role/${var.assume_role}"
+  }
+
+  default_tags {
+    tags = {
+      Environment      = var.environment
+      Workspace        = "${replace(terraform.workspace, "_", "-")}-account-wide"
+      Project          = local.project
+      Name             = "${local.project}--${replace(terraform.workspace, "_", "-")}--account-wide"
+      Owner            = "NHSE"
+      ProjectShortName = "CPM"
+      ProjectFullname  = "Connecting Party Manager"
+      WorkspaceType    = "PERSISTENT"
+    }
+  }
+}
diff --git a/infrastructure/terraform/per_account/ref/terraform.tf b/infrastructure/terraform/per_account/ref/terraform.tf
new file mode 100644
index 000000000..1427e70ab
--- /dev/null
+++ b/infrastructure/terraform/per_account/ref/terraform.tf
@@ -0,0 +1,18 @@
+terraform {
+  backend "s3" {
+    encrypt              = false
+    region               = "eu-west-2"
+    bucket               = "nhse-cpm--terraform-state-v1.0.0"
+    dynamodb_table       = "nhse-cpm--terraform-state-lock-v1.0.0"
+    key                  = "terraform-state-infrastructure-ref-account-wide"
+    workspace_key_prefix = "nhse-cpm"
+  }
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.20.0"
+    }
+  }
+  # required_version = ">= 1.1.0"
+}
diff --git a/infrastructure/terraform/per_account/ref/vars.tf b/infrastructure/terraform/per_account/ref/vars.tf
new file mode 100644
index 000000000..5211b6e94
--- /dev/null
+++ b/infrastructure/terraform/per_account/ref/vars.tf
@@ -0,0 +1,23 @@
+variable "account_name" {
+  type = string
+}
+
+variable "assume_account" {
+  sensitive = true
+}
+
+variable "assume_role" {}
+
+variable "environment" {}
+
+variable "expiration_date" {
+  default = "NEVER"
+}
+
+variable "updated_date" {
+  default = "NEVER"
+}
+
+variable "workspace_type" {
+  default = "PERSISTENT"
+}
diff --git a/scripts/aws/helpers.sh b/scripts/aws/helpers.sh
index 797f96e8f..fe15a8937 100755
--- a/scripts/aws/helpers.sh
+++ b/scripts/aws/helpers.sh
@@ -2,8 +2,8 @@
 
 function _validate_current_account() {
     required_account="$1"
-    ACCOUNT_DETAILS=$(aws account get-contact-information)
-    if [[ "$ACCOUNT_DETAILS" == *"$required_account"* ]]; then
+    ACCOUNT_DETAILS=$(aws account get-contact-information | jq .ContactInformation.FullName -r)
+    if [[ "$ACCOUNT_DETAILS" == "NHS Digital Spine Core CPM ${required_account}" ]]; then
         return 0
     else
         return 1
diff --git a/scripts/infrastructure/destroy.mk b/scripts/infrastructure/destroy.mk
index 4eb815e22..b63e7643e 100644
--- a/scripts/infrastructure/destroy.mk
+++ b/scripts/infrastructure/destroy.mk
@@ -1,16 +1,31 @@
 .PHONY: destroy--mgmt destroy--non-mgmt destroy--expired destroy--corrupted destroy--redundant-workspaces
 
 destroy--mgmt: aws--login ## Destroy the MGMT AWS environment. Must provide PREFIX and VERSION keyword arguments.
-	@AWS_ACCESS_KEY_ID=$(AWS_ACCESS_KEY_ID) AWS_SECRET_ACCESS_KEY=$(AWS_SECRET_ACCESS_KEY) AWS_SESSION_TOKEN=$(AWS_SESSION_TOKEN) bash $(PATH_TO_INFRASTRUCTURE)/destroy/destroy-mgmt-resources.sh $(PREFIX) $(VERSION)
+	@AWS_ACCESS_KEY_ID=$(AWS_ACCESS_KEY_ID) \
+	AWS_SECRET_ACCESS_KEY=$(AWS_SECRET_ACCESS_KEY) \
+	AWS_SESSION_TOKEN=$(AWS_SESSION_TOKEN) \
+	bash $(PATH_TO_INFRASTRUCTURE)/destroy/destroy-mgmt-resources.sh $(PREFIX) $(VERSION)
 
 destroy--non-mgmt: aws--login ## Destroy the Non-MGMT AWS environments. Must provide TERRAFORM_ROLE_NAME keyword argument.
-	@AWS_ACCESS_KEY_ID=$(AWS_ACCESS_KEY_ID) AWS_SECRET_ACCESS_KEY=$(AWS_SECRET_ACCESS_KEY) AWS_SESSION_TOKEN=$(AWS_SESSION_TOKEN) bash $(PATH_TO_INFRASTRUCTURE)/destroy/destroy-non-mgmt-resources.sh
+	@AWS_ACCESS_KEY_ID=$(AWS_ACCESS_KEY_ID) \
+	AWS_SECRET_ACCESS_KEY=$(AWS_SECRET_ACCESS_KEY) \
+	AWS_SESSION_TOKEN=$(AWS_SESSION_TOKEN) \
+	bash $(PATH_TO_INFRASTRUCTURE)/destroy/destroy-non-mgmt-resources.sh
 
 destroy--expired: aws--login ## Destroy any workspaces that have gone past their expiration date.
-	@AWS_ACCESS_KEY_ID=$(AWS_ACCESS_KEY_ID) AWS_SECRET_ACCESS_KEY=$(AWS_SECRET_ACCESS_KEY) AWS_SESSION_TOKEN=$(AWS_SESSION_TOKEN) bash $(PATH_TO_INFRASTRUCTURE)/destroy/destroy-expired-workspaces.sh
+	@AWS_ACCESS_KEY_ID=$(AWS_ACCESS_KEY_ID) \
+	AWS_SECRET_ACCESS_KEY=$(AWS_SECRET_ACCESS_KEY) \
+	AWS_SESSION_TOKEN=$(AWS_SESSION_TOKEN) \
+	bash $(PATH_TO_INFRASTRUCTURE)/destroy/destroy-expired-workspaces.sh
 
 destroy--corrupted: aws--login ## Destroy any workspaces that cannot be detroyed with terraform.
-	@AWS_ACCESS_KEY_ID=$(AWS_ACCESS_KEY_ID) AWS_SECRET_ACCESS_KEY=$(AWS_SECRET_ACCESS_KEY) AWS_SESSION_TOKEN=$(AWS_SESSION_TOKEN) bash $(PATH_TO_INFRASTRUCTURE)/destroy/destroy-corrupted-workspace.sh $(TERRAFORM_WORKSPACE)
+	@AWS_ACCESS_KEY_ID=$(AWS_ACCESS_KEY_ID) \
+	AWS_SECRET_ACCESS_KEY=$(AWS_SECRET_ACCESS_KEY) \
+	AWS_SESSION_TOKEN=$(AWS_SESSION_TOKEN) \
+	bash $(PATH_TO_INFRASTRUCTURE)/destroy/destroy-corrupted-workspace.sh $(TERRAFORM_WORKSPACE)
 
 destroy--redundant-workspaces: aws--login ## Destroy any workspaces that are associated with a branch when they are not the latest commit.
-	@AWS_ACCESS_KEY_ID=$(AWS_ACCESS_KEY_ID) AWS_SECRET_ACCESS_KEY=$(AWS_SECRET_ACCESS_KEY) AWS_SESSION_TOKEN=$(AWS_SESSION_TOKEN) bash $(PATH_TO_INFRASTRUCTURE)/destroy/destroy-redundant-workspaces.sh $(BRANCH_NAME) $(DESTROY_ALL_COMMITS_ON_BRANCH) $(KILL_ALL) $(CURRENT_COMMIT)
+	@AWS_ACCESS_KEY_ID=$(AWS_ACCESS_KEY_ID) \
+	AWS_SECRET_ACCESS_KEY=$(AWS_SECRET_ACCESS_KEY) \
+	AWS_SESSION_TOKEN=$(AWS_SESSION_TOKEN) \
+	bash $(PATH_TO_INFRASTRUCTURE)/destroy/destroy-redundant-workspaces.sh $(BRANCH_NAME) $(DESTROY_ALL_COMMITS_ON_BRANCH) $(KILL_ALL) $(CURRENT_COMMIT)
diff --git a/scripts/infrastructure/destroy/destroy-corrupted-workspace.sh b/scripts/infrastructure/destroy/destroy-corrupted-workspace.sh
index ab7c388c4..6cbba5369 100644
--- a/scripts/infrastructure/destroy/destroy-corrupted-workspace.sh
+++ b/scripts/infrastructure/destroy/destroy-corrupted-workspace.sh
@@ -7,7 +7,7 @@ source ./scripts/infrastructure/terraform/terraform-commands.sh
 TERRAFORM_WORKSPACE="$1"
 AWS_REGION_NAME="eu-west-2"
 ENV="dev"
-persistent_list=("dev" "int" "ref" "prod")
+persistent_list=("dev" "qa" "int" "ref" "prod")
 
 function _destroy_corrupted_workspace() {
     if [[ "$(aws account get-contact-information --region "${AWS_REGION_NAME}")" != *MGMT* ]]; then
@@ -22,7 +22,7 @@ function _destroy_corrupted_workspace() {
         return 1
     fi
 
-    dev_acct=$(_get_aws_account_id "$ENV")
+    dev_acct=$(_get_aws_account_id "$ENV" "$PROFILE_PREFIX" "$VERSION")
     role_arn="arn:aws:iam::${dev_acct}:role/${TERRAFORM_ROLE_NAME}"
     session_name="resource-search-session"
     duration_seconds=900
diff --git a/scripts/infrastructure/destroy/destroy-expired-workspaces.sh b/scripts/infrastructure/destroy/destroy-expired-workspaces.sh
index 85190f213..dc16f1a44 100644
--- a/scripts/infrastructure/destroy/destroy-expired-workspaces.sh
+++ b/scripts/infrastructure/destroy/destroy-expired-workspaces.sh
@@ -7,7 +7,7 @@ AWS_REGION_NAME="eu-west-2"
 ENV="dev"
 
 function _destroy_expired_workspaces() {
-    dev_acct=$(_get_aws_account_id "$ENV")
+    dev_acct=$(_get_aws_account_id "$ENV" "$PROFILE_PREFIX" "$VERSION")
     role_arn="arn:aws:iam::${dev_acct}:role/NHSDeploymentRole"
     session_name="resource-search-session"
     duration_seconds=900
diff --git a/scripts/infrastructure/destroy/destroy-mgmt-resources.sh b/scripts/infrastructure/destroy/destroy-mgmt-resources.sh
index 74e6b09d5..818ba66e9 100644
--- a/scripts/infrastructure/destroy/destroy-mgmt-resources.sh
+++ b/scripts/infrastructure/destroy/destroy-mgmt-resources.sh
@@ -19,7 +19,9 @@ fi
 AWS_REGION_NAME="eu-west-2"
 MGMT_ACCOUNT_ID_LOCATION="${PREFIX}--mgmt--mgmt-account-id-${VERSION}"
 PROD_ACCOUNT_ID_LOCATION="${PREFIX}--mgmt--prod-account-id-${VERSION}"
-TEST_ACCOUNT_ID_LOCATION="${PREFIX}--mgmt--test-account-id-${VERSION}"
+REF_ACCOUNT_ID_LOCATION="${PREFIX}--mgmt--ref-account-id-${VERSION}"
+INT_ACCOUNT_ID_LOCATION="${PREFIX}--mgmt--int-account-id-${VERSION}"
+QA_ACCOUNT_ID_LOCATION="${PREFIX}--mgmt--qa-account-id-${VERSION}"
 DEV_ACCOUNT_ID_LOCATION="${PREFIX}--mgmt--dev-account-id-${VERSION}"
 
 admin_policy_arn="arn:aws:iam::aws:policy/AdministratorAccess"
@@ -40,5 +42,7 @@ echo "Waiting for bucket contents to be deleted..." && sleep 10
 aws s3 rb "s3://${state_bucket_name}" || echo "Bucket could not be deleted at this time. You should go to the AWS Console and delete the bucket manually."
 aws secretsmanager delete-secret --secret-id "${MGMT_ACCOUNT_ID_LOCATION}" --region "${AWS_REGION_NAME}"
 aws secretsmanager delete-secret --secret-id "${DEV_ACCOUNT_ID_LOCATION}" --region "${AWS_REGION_NAME}"
-aws secretsmanager delete-secret --secret-id "${TEST_ACCOUNT_ID_LOCATION}" --region "${AWS_REGION_NAME}"
+aws secretsmanager delete-secret --secret-id "${QA_ACCOUNT_ID_LOCATION}" --region "${AWS_REGION_NAME}"
+aws secretsmanager delete-secret --secret-id "${INT_ACCOUNT_ID_LOCATION}" --region "${AWS_REGION_NAME}"
+aws secretsmanager delete-secret --secret-id "${REF_ACCOUNT_ID_LOCATION}" --region "${AWS_REGION_NAME}"
 aws secretsmanager delete-secret --secret-id "${PROD_ACCOUNT_ID_LOCATION}" --region "${AWS_REGION_NAME}"
diff --git a/scripts/infrastructure/destroy/destroy-redundant-workspaces.sh b/scripts/infrastructure/destroy/destroy-redundant-workspaces.sh
index c935b0b28..993299970 100644
--- a/scripts/infrastructure/destroy/destroy-redundant-workspaces.sh
+++ b/scripts/infrastructure/destroy/destroy-redundant-workspaces.sh
@@ -76,7 +76,7 @@ function _destroy_redundant_workspaces() {
     # Print the matching object names
     for workspace in "${matching_objects[@]}"; do
         echo "Attempting to destroy workspace: $workspace"
-        bash ./scripts/infrastructure/terraform/terraform-commands.sh destroy $workspace "non_account_wide" "" "-input=false -auto-approve -no-color"
+        bash ./scripts/infrastructure/terraform/terraform-commands.sh "destroy" "ref" $workspace "per_workspace" "" "-input=false -auto-approve -no-color"
     done
 }
 
diff --git a/scripts/infrastructure/initialise.mk b/scripts/infrastructure/initialise.mk
index 50c7dfa00..5facc59e8 100644
--- a/scripts/infrastructure/initialise.mk
+++ b/scripts/infrastructure/initialise.mk
@@ -1,7 +1,13 @@
 .PHONY: initialise--mgmt initialise--non-mgmt
 
 initialise--mgmt: aws--login ## Bootstrap the MGMT AWS environment. Must provide PREFIX and VERSION keyword arguments.
-	@AWS_ACCESS_KEY_ID=$(AWS_ACCESS_KEY_ID) AWS_SECRET_ACCESS_KEY=$(AWS_SECRET_ACCESS_KEY) AWS_SESSION_TOKEN=$(AWS_SESSION_TOKEN) bash $(PATH_TO_INFRASTRUCTURE)/initialise/initialise-mgmt-resources.sh $(PREFIX) $(VERSION)
+	@AWS_ACCESS_KEY_ID=$(AWS_ACCESS_KEY_ID) \
+	AWS_SECRET_ACCESS_KEY=$(AWS_SECRET_ACCESS_KEY) \
+	AWS_SESSION_TOKEN=$(AWS_SESSION_TOKEN) \
+	bash $(PATH_TO_INFRASTRUCTURE)/initialise/initialise-mgmt-resources.sh $(PREFIX) $(VERSION)
 
 initialise--non-mgmt: aws--login ## Bootstrap the Non-MGMT AWS environments. Must provide MGMT_ACCOUNT_ID keyword arguments.
-	@AWS_ACCESS_KEY_ID=$(AWS_ACCESS_KEY_ID) AWS_SECRET_ACCESS_KEY=$(AWS_SECRET_ACCESS_KEY) AWS_SESSION_TOKEN=$(AWS_SESSION_TOKEN) bash $(PATH_TO_INFRASTRUCTURE)/initialise/initialise-non-mgmt-resources.sh
+	@AWS_ACCESS_KEY_ID=$(AWS_ACCESS_KEY_ID) \
+	AWS_SECRET_ACCESS_KEY=$(AWS_SECRET_ACCESS_KEY) \
+	AWS_SESSION_TOKEN=$(AWS_SESSION_TOKEN) \
+	bash $(PATH_TO_INFRASTRUCTURE)/initialise/initialise-non-mgmt-resources.sh
diff --git a/scripts/infrastructure/initialise/initialise-mgmt-resources.sh b/scripts/infrastructure/initialise/initialise-mgmt-resources.sh
index 8ecfc7589..438b1918c 100644
--- a/scripts/infrastructure/initialise/initialise-mgmt-resources.sh
+++ b/scripts/infrastructure/initialise/initialise-mgmt-resources.sh
@@ -25,9 +25,11 @@ fi
 ACCOUNT_ID=$(aws sts get-caller-identity | jq -r .Account)
 AWS_REGION_NAME="eu-west-2"
 MGMT_ACCOUNT_ID_LOCATION="${PREFIX}--mgmt--mgmt-account-id-${VERSION}"
-PROD_ACCOUNT_ID_LOCATION="${PREFIX}--mgmt--prod-account-id-${VERSION}"
-TEST_ACCOUNT_ID_LOCATION="${PREFIX}--mgmt--test-account-id-${VERSION}"
 DEV_ACCOUNT_ID_LOCATION="${PREFIX}--mgmt--dev-account-id-${VERSION}"
+PROD_ACCOUNT_ID_LOCATION="${PREFIX}--mgmt--prod-account-id-${VERSION}"
+QA_ACCOUNT_ID_LOCATION="${PREFIX}--mgmt--qa-account-id-${VERSION}"
+INT_ACCOUNT_ID_LOCATION="${PREFIX}--mgmt--int-account-id-${VERSION}"
+REF_ACCOUNT_ID_LOCATION="${PREFIX}--mgmt--ref-account-id-${VERSION}"
 
 admin_policy_arn="arn:aws:iam::aws:policy/AdministratorAccess"
 truststore_bucket_name="${PREFIX}--truststore-${VERSION}"
@@ -125,5 +127,7 @@ aws dynamodb create-table \
 
 aws secretsmanager create-secret --name "${MGMT_ACCOUNT_ID_LOCATION}" --region "${AWS_REGION_NAME}"
 aws secretsmanager create-secret --name "${DEV_ACCOUNT_ID_LOCATION}" --region "${AWS_REGION_NAME}"
-aws secretsmanager create-secret --name "${TEST_ACCOUNT_ID_LOCATION}" --region "${AWS_REGION_NAME}"
+aws secretsmanager create-secret --name "${QA_ACCOUNT_ID_LOCATION}" --region "${AWS_REGION_NAME}"
+aws secretsmanager create-secret --name "${INT_ACCOUNT_ID_LOCATION}" --region "${AWS_REGION_NAME}"
+aws secretsmanager create-secret --name "${REF_ACCOUNT_ID_LOCATION}" --region "${AWS_REGION_NAME}"
 aws secretsmanager create-secret --name "${PROD_ACCOUNT_ID_LOCATION}" --region "${AWS_REGION_NAME}"
diff --git a/scripts/infrastructure/roles/manage-non-mgmt-aws-roles.sh b/scripts/infrastructure/roles/manage-non-mgmt-aws-roles.sh
index 4939ec00c..8ddd756bf 100755
--- a/scripts/infrastructure/roles/manage-non-mgmt-aws-roles.sh
+++ b/scripts/infrastructure/roles/manage-non-mgmt-aws-roles.sh
@@ -23,8 +23,12 @@ else
     ENV="prod"
   elif _validate_current_account "INT"; then
     ENV="int"
-  elif _validate_current_account "TEST"; then
-    ENV="test"
+  elif _validate_current_account "QA"; then
+    ENV="qa"
+  elif _validate_current_account "INT"; then
+    ENV="int"
+  elif _validate_current_account "REF"; then
+    ENV="ref"
   fi
 fi
 MGMT_ID_PARAMETER_STORE="nhse-cpm--${ENV}--mgmt-account-id-v1.0.0"
diff --git a/scripts/infrastructure/terraform.mk b/scripts/infrastructure/terraform.mk
index 88b5d394c..b5d44aeb1 100644
--- a/scripts/infrastructure/terraform.mk
+++ b/scripts/infrastructure/terraform.mk
@@ -1,7 +1,8 @@
 .PHONY: terraform--validate terraform--init terraform--plan terraform--apply terraform--destroy terraform--unlock
 
+AWS_ACCOUNT =
 TERRAFORM_WORKSPACE =
-ACCOUNT_WIDE = "non_account_wide"
+TERRAFORM_SCOPE = "per_workspace"
 TERRAFORM_ARGS =
 
 PREFIX =
@@ -14,4 +15,7 @@ terraform--apply: _terraform--apply ## Run terraform apply
 terraform--destroy: _terraform--destroy ## Run terraform destroy
 terraform--unlock: _terraform--unlock ## Run terraform unlock
 _terraform--%: aws--login
-	@AWS_ACCESS_KEY_ID=$(AWS_ACCESS_KEY_ID) AWS_SECRET_ACCESS_KEY=$(AWS_SECRET_ACCESS_KEY) AWS_SESSION_TOKEN=$(AWS_SESSION_TOKEN) bash $(PATH_TO_INFRASTRUCTURE)/terraform/terraform-commands.sh $* "$(TERRAFORM_WORKSPACE)" "$(ACCOUNT_WIDE)" "$(PARAMETER_DEPLOY)" "$(TERRAFORM_ARGS)"
+	@AWS_ACCESS_KEY_ID=$(AWS_ACCESS_KEY_ID) \
+	AWS_SECRET_ACCESS_KEY=$(AWS_SECRET_ACCESS_KEY) \
+	AWS_SESSION_TOKEN=$(AWS_SESSION_TOKEN) \
+	bash $(PATH_TO_INFRASTRUCTURE)/terraform/terraform-commands.sh $* "${AWS_ACCOUNT}" "$(TERRAFORM_WORKSPACE)" "$(TERRAFORM_SCOPE)" "$(TERRAFORM_ARGS)"
diff --git a/scripts/infrastructure/terraform/terraform-commands.sh b/scripts/infrastructure/terraform/terraform-commands.sh
index ff501d53e..39d33e5cd 100644
--- a/scripts/infrastructure/terraform/terraform-commands.sh
+++ b/scripts/infrastructure/terraform/terraform-commands.sh
@@ -3,10 +3,11 @@
 source ./scripts/infrastructure/terraform/terraform-utils.sh
 
 TERRAFORM_COMMAND="$1"
-TERRAFORM_WORKSPACE="$2"
-ACCOUNT_WIDE="$3"
-PARAMETER_DEPLOY="$4"
-TERRAFORM_ARGS="$5"
+AWS_ACCOUNT="$2"
+TERRAFORM_WORKSPACE="$3"
+TERRAFORM_SCOPE="$4"
+PARAMETER_DEPLOY="$5"
+TERRAFORM_ARGS="$6"
 AWS_REGION_NAME="eu-west-2"
 
 function _terraform() {
@@ -16,89 +17,71 @@ function _terraform() {
     local current_date
     local terraform_dir
     local expiration_time
-    local terraform_role_name="NHSDevelopmentRole"
-    workspace=$(_get_workspace_name $TERRAFORM_WORKSPACE) || return 1
-    aws_account_id=$(_get_aws_account_id "$workspace") || return 1
-    if [ "$RUNNING_IN_CI" = 1 ]; then
-        terraform_role_name="NHSDeploymentRole"
-        # Ask Github Actions to mask the Account ID in the logs
-        echo "::add-mask:: ${aws_account_id}"
-    fi
+    local terraform_role_name="NHSDeploymentRole"
 
-    var_file=$(_get_workspace_vars_file "$workspace") || return 1
-    terraform_dir=$(_get_terraform_dir "$workspace" "$ACCOUNT_WIDE" "$PARAMETER_DEPLOY")
-    if [ $? -gt 0 ]; then
-        echo ${terraform_dir}
-        return 1
-    fi
-    workspace_type=$(_get_workspace_type "$workspace")
-    workspace_expiration=$(_get_workspace_expiration "$workspace")
+    account=$(_get_account_name "$AWS_ACCOUNT" "$TERRAFORM_WORKSPACE") || return 1
+    workspace=$(_get_workspace_name "$account" "$TERRAFORM_WORKSPACE") || return 1
+    aws_account_id=$(_get_aws_account_id "$account" "$PROFILE_PREFIX" "$VERSION") || return 1
+
+    var_file=$(_get_workspace_vars_file "$account") || return 1
+    scope=$(_get_terraform_scope "$TERRAFORM_SCOPE") || return 1
+    terraform_dir=$(_get_terraform_dir "$scope") || return 1
+    workspace_type=$(_get_workspace_type "$account" "$workspace")
+    workspace_expiration=$(_get_workspace_expiration "$workspace_type")
     expiration_date=$(_get_expiration_date "$workspace_expiration")
     current_date=$(_get_current_date) || return 1
     layers=$(_get_layer_list) || return 1
     lambdas=$(_get_lambda_list) || return 1
-    contact_info=$(_get_contact_information) || return 1
+    login_account=$(_get_account_full_name) || return 1
     local plan_file="./tfplan"
 
+    echo "
+    Terraforming
+    -------------------- ----------------------------------------
+    login_account        ${login_account}
+    scope                ${scope}
+    account              ${account}
+    workspace            ${workspace}
+    workspace_type       ${workspace_type}
+    workspace_expiration ${workspace_expiration}
+    expiration_date      ${expiration_date}
+"
+
+    if [[ "${login_account}" != "NHS Digital Spine Core CPM MGMT" ]]; then
+        echo "Please log in as the mgmt account" >&2
+        return 1
+    fi
+
+    cd "$terraform_dir" || return 1
+
     case $TERRAFORM_COMMAND in
         #----------------
         "validate")
-            cd "$terraform_dir" || return 1
             terraform validate || return 1
         ;;
         #----------------
         "init")
-            if [[ "${contact_info}" != *MGMT* ]]; then
-                echo "Please log in as the mgmt account" >&2
-                return 1
-            fi
-
-            cd "$terraform_dir" || return 1
             _terraform_init "$workspace" "$TERRAFORM_ARGS"
         ;;
         #----------------
         "plan")
-            if [[ "${contact_info}" != *MGMT* ]]; then
-                echo "Please log in as the mgmt account" >&2
-                return 1
-            fi
-
-            cd "$terraform_dir" || return 1
-            _terraform_plan "$workspace" "$var_file" "$plan_file" "$aws_account_id" "$ACCOUNT_WIDE" "$TERRAFORM_ARGS"
+            _terraform_plan "$workspace" "$var_file" "$plan_file" "$aws_account_id" "$scope" "$TERRAFORM_ARGS"
         ;;
         #----------------
         "apply")
-            if [[ "${contact_info}" != *MGMT* ]]; then
-                echo "Please log in as the mgmt account" >&2
-                return 1
-            fi
-
-            cd "$terraform_dir" || return 1
-            _terraform_apply "$workspace" "$plan_file" "$ACCOUNT_WIDE" "$TERRAFORM_ARGS"
+            _terraform_apply "$workspace" "$plan_file" "$TERRAFORM_ARGS"
         ;;
         #----------------
         "destroy")
-            if [[ "${contact_info}" != *MGMT* ]]; then
-                echo "Please log in as the mgmt account" >&2
-                return 1
-            fi
-
             if [[ -z ${workspace} ]]; then
                 echo "Non-mgmt parameter required" >&2
                 return 1
             fi
 
-            cd "$terraform_dir" || return 1
-            _terraform_destroy "$workspace" "$var_file" "$aws_account_id" "$ACCOUNT_WIDE" "$TERRAFORM_ARGS"
+            _terraform_destroy "$workspace" "$var_file" "$aws_account_id" "$TERRAFORM_ARGS"
         ;;
         #----------------
         "unlock")
-            if [[ "${contact_info}" != *MGMT* ]]; then
-                echo "Please log in as the mgmt account" >&2
-                return 1
-            fi
-
-            cd "$terraform_dir" || return 1
             _terraform_unlock "$workspace" "$TERRAFORM_ARGS"
         ;;
     esac
@@ -116,21 +99,25 @@ function _terraform_plan() {
     local var_file=$2
     local plan_file=$3
     local aws_account_id=$4
-    local account_wide=$5
+    local scope=$5
+
     local args=${@:6}
 
     terraform workspace select default
     terraform init || return 1
     terraform workspace select "$workspace" || terraform workspace new "$workspace" || return 1
 
-    if [[ "${account_wide}" = "account_wide" ]]; then
+    if [[ "${scope}" = "per_workspace" ]]; then
         terraform plan $args \
             -out="$plan_file" \
             -var-file="$var_file" \
             -var "assume_account=${aws_account_id}" \
             -var "assume_role=${terraform_role_name}" \
             -var "updated_date=${current_date}" \
-            -var "expiration_date=${expiration_date}" || return 1
+            -var "expiration_date=${expiration_date}" \
+            -var "lambdas=${lambdas}" \
+            -var "workspace_type=${workspace_type}" \
+            -var "layers=${layers}" || return 1
     else
         terraform plan $args \
             -out="$plan_file" \
@@ -138,18 +125,14 @@ function _terraform_plan() {
             -var "assume_account=${aws_account_id}" \
             -var "assume_role=${terraform_role_name}" \
             -var "updated_date=${current_date}" \
-            -var "expiration_date=${expiration_date}" \
-            -var "lambdas=${lambdas}" \
-            -var "workspace_type=${workspace_type}" \
-            -var "layers=${layers}" || return 1
+            -var "expiration_date=${expiration_date}" || return 1
     fi
 }
 
 function _terraform_apply() {
     local workspace=$1
     local plan_file=$2
-    local account_wide=$3
-    local args=${@:4}
+    local args=${@:3}
 
     terraform init || return 1
     terraform workspace select "$workspace" || terraform workspace new "$workspace" || return 1
@@ -161,26 +144,19 @@ function _terraform_destroy() {
     local workspace=$1
     local var_file=$2
     local aws_account_id=$3
-    local account_wide=$4
-    local args=${@:5}
+    local args=${@:4}
 
     terraform init -reconfigure || return 1
     terraform workspace select "$workspace" || terraform workspace new "$workspace" || return 1
 
-    if [[ "${account_wide}" = "account_wide" ]]; then
-        terraform apply -destroy $args \
-            -var-file="$var_file" \
-            -var "assume_account=${aws_account_id}" \
-            -var "assume_role=${terraform_role_name}" || return 1
-    else
-        terraform apply -destroy $args \
-            -var-file="$var_file" \
-            -var "assume_account=${aws_account_id}" \
-            -var "assume_role=${terraform_role_name}" \
-            -var "workspace_type=${workspace_type}" \
-            -var "lambdas=${lambdas}" \
-            -var "layers=${layers}" || return 1
-    fi
+    terraform apply -destroy $args \
+        -var-file="$var_file" \
+        -var "assume_account=${aws_account_id}" \
+        -var "assume_role=${terraform_role_name}" \
+        -var "workspace_type=${workspace_type}" \
+        -var "lambdas=${lambdas}" \
+        -var "layers=${layers}" \
+    || return 1
 
     if [ "$workspace" != "default" ]; then
         terraform workspace select default || return 1
@@ -189,6 +165,7 @@ function _terraform_destroy() {
 }
 
 function _terraform_unlock() {
+    local workspace=$1
     terraform force-unlock "$workspace"
 }
 
diff --git a/scripts/infrastructure/terraform/terraform-constants.sh b/scripts/infrastructure/terraform/terraform-constants.sh
index 86ac67337..09218a1ad 100644
--- a/scripts/infrastructure/terraform/terraform-constants.sh
+++ b/scripts/infrastructure/terraform/terraform-constants.sh
@@ -5,5 +5,7 @@ AWS_REGION_NAME="eu-west-2"
 VERSION="v1.0.0"
 MGMT_ACCOUNT_ID_LOCATION="${PROFILE_PREFIX}--mgmt--mgmt-account-id-${VERSION}"
 PROD_ACCOUNT_ID_LOCATION="${PROFILE_PREFIX}--mgmt--prod-account-id-${VERSION}"
-TEST_ACCOUNT_ID_LOCATION="${PROFILE_PREFIX}--mgmt--test-account-id-${VERSION}"
+REF_ACCOUNT_ID_LOCATION="${PROFILE_PREFIX}--mgmt--ref-account-id-${VERSION}"
+INT_ACCOUNT_ID_LOCATION="${PROFILE_PREFIX}--mgmt--int-account-id-${VERSION}"
+QA_ACCOUNT_ID_LOCATION="${PROFILE_PREFIX}--mgmt--qa-account-id-${VERSION}"
 DEV_ACCOUNT_ID_LOCATION="${PROFILE_PREFIX}--mgmt--dev-account-id-${VERSION}"
diff --git a/scripts/infrastructure/terraform/terraform-utils.sh b/scripts/infrastructure/terraform/terraform-utils.sh
index 8d43f4aeb..0ba229650 100644
--- a/scripts/infrastructure/terraform/terraform-utils.sh
+++ b/scripts/infrastructure/terraform/terraform-utils.sh
@@ -1,10 +1,28 @@
 #!/bin/bash
 
 source ./scripts/infrastructure/terraform/terraform-constants.sh
-PERSISTENT_WORKSPACES=("dev" "ref" "int" "prod" "dev-sandbox" "int-sandbox" "ref-sandbox")
+PERSISTENT_WORKSPACES=("dev" "qa" "ref" "int" "prod" "dev-sandbox" "int-sandbox" "ref-sandbox")
+
+
+function _get_account_name() {
+  local account=$1
+  local workspace=$2
+
+  # if account not specified then infer it
+  if [[ -z "$account" ]]; then
+    if [[ "$workspace" = "ci-"* ]]; then
+      echo "ref" # ci builds go here
+    else
+      echo "dev" # personal builds co here
+    fi
+  else
+    echo "$account"
+  fi
+}
 
 function _get_workspace_name() {
-  local workspace=$1
+  local account=$1
+  local workspace=$2
 
   if [[ -z $workspace ]]; then
     if [[ -z $TERRAFORM_LOCAL_WORKSPACE_OVERRIDE ]]; then
@@ -18,107 +36,78 @@ function _get_workspace_name() {
 }
 
 function _get_workspace_type() {
-  local env=$1
-  if [ "$RUNNING_IN_CI" = 1 ]; then
-    if [[ ${PERSISTENT_WORKSPACES[@]} =~ $env ]]; then
-      echo "PERSISTENT"
-    else
-      echo "CI"
-    fi
+  local account=$1
+  local workspace=$2
+
+  # persistent environments are where the workspace and account names match (e.g. qa/qa or qa/qa-sandbox)
+  if [[ "${workspace}" = "${account}" || "${workspace}" = "${account}-sandbox" ]]; then
+    echo "PERSISTENT"
+  # CI environments start with 'ci-'
+  elif [[ "${workspace}" = "ci-"* ]]; then
+    echo "CI"
+  # everything else is classified as 'LOCAL'
   else
     echo "LOCAL"
   fi
 }
 
 function _get_workspace_expiration() {
-  local env=$1
-  if [ "$RUNNING_IN_CI" = 1 ]; then
-    if [[ ${PERSISTENT_WORKSPACES[@]} =~ $env ]]; then
-      echo "NEVER"
-    else
-      echo "168"
-    fi
-  else
-    echo "72"
-  fi
+  case $1 in
+    "PERSISTENT")
+      echo "NEVER" ;;
+    "CI")
+      echo "168" ;;
+    *)
+      echo "72" ;;
+  esac
 }
 
 function _get_account_id_location() {
-    local workspace=$1
-
-    if [ "$RUNNING_IN_CI" = 1 ]; then
-        ## DELETE THIS WHEN TEST ACCOUNT ENABLED
-        echo "${DEV_ACCOUNT_ID_LOCATION}"
-        ## UNCOMMENT THIS WHEN TEST ACCOUNT ENABLED
-        # echo "${TEST_ACCOUNT_ID_LOCATION}"     # CI deployments to TEST by default
-    elif [ "$workspace" = "mgmt" ]; then
-        echo "${MGMT_ACCOUNT_ID_LOCATION}"
-    elif [ "$workspace" = "prod" ]; then
-        echo "${PROD_ACCOUNT_ID_LOCATION}"
-    elif [ "$workspace" = "ref" ] || [ "$workspace" = "ref-sandbox" ]; then
-        echo "${TEST_ACCOUNT_ID_LOCATION}"
-    elif [ "$workspace" = "int" ] || [ "$workspace" = "int-sandbox" ]; then
-        echo "${TEST_ACCOUNT_ID_LOCATION}"
-    else
-        echo "${DEV_ACCOUNT_ID_LOCATION}"
-    fi
+    local account=$1
+    local prefix=$2
+    local version=$3
+
+    echo "${prefix}--mgmt--${account}-account-id-${version}"
 }
 
-function _get_contact_information(){
-  echo $(aws account get-contact-information --region "${AWS_REGION_NAME}")
+function _get_account_full_name(){
+  echo $(aws account get-contact-information --region "${AWS_REGION_NAME}" | jq  .ContactInformation.FullName -r)
 }
 
 function _get_aws_account_id() {
     local account_id_location
     local profile_info
-    account_id_location=$(_get_account_id_location "$1")
-    profile_info="--profile nhse-cpm-mgmt-admin"
-    if [ "$RUNNING_IN_CI" = 1 ]; then
-      profile_info=""
-    fi
-    aws secretsmanager get-secret-value --secret-id "$account_id_location" --query SecretString --output text ${profile_info}
+    account_id_location=$(_get_account_id_location "$1" "$2" "$3")
+
+    aws secretsmanager get-secret-value \
+      --secret-id "$account_id_location" \
+      --query SecretString \
+      --output text
 }
 
 function _get_workspace_vars_file() {
     local dir=$(pwd)
-    local workspace=$1
-    local vars_prefix="dev"
-
-    if [ "$RUNNING_IN_CI" = 1 ]; then
-        ## DELETE THIS WHEN TEST ACCOUNT ENABLED
-        vars_prefix="dev"
-        ## UNCOMMENT THIS WHEN TEST ACCOUNT ENABLED
-        #vars_prefix="test"
-    elif [ "$workspace" = "mgmt" ]; then
-        vars_prefix="mgmt"
-    elif [ "$workspace" = "prod" ]; then
-        vars_prefix="prod"
-    elif [ "$workspace" = "ref" ] || [ "$workspace" = "ref-sandbox" ]; then
-        vars_prefix="test"
-    elif [ "$workspace" = "int" ] || [ "$workspace" = "int-sandbox" ]; then
-        vars_prefix="test"
-    fi
+    local account=$1
 
-    echo "${dir}/infrastructure/terraform/etc/${vars_prefix}.tfvars"
+    echo "${dir}/infrastructure/terraform/etc/${account}.tfvars"
 }
 
-function _get_terraform_dir() {
-  local env=$1
-  local account_wide=$2
-  local parameter_deploy=$3
-  local dir=$(pwd)
-  if [ "$parameter_deploy" = "parameter_deploy" ] && [ "$account_wide" = "account_wide" ]; then
-    echo "${dir}/infrastructure/terraform/per_account/$env/parameters"
-  elif [ "$account_wide" = "account_wide" ]; then
-    echo "${dir}/infrastructure/terraform/per_account/$env"
-  elif [ "$account_wide" = "non_account_wide" ]; then
-    echo "${dir}/infrastructure/terraform/per_workspace"
+function _get_terraform_scope() {
+  local scope=$1
+  if [[ -z "$scope" ]]; then
+    echo "per_workspace"
   else
-    echo "<account_wide> must either be 'non_account_wide' or 'account_wide'"
-    return 1
+    echo "$scope"
   fi
 }
 
+function _get_terraform_dir() {
+  local scope=$1
+  local dir=$(pwd)
+
+  echo "${dir}/infrastructure/terraform/${scope}"
+}
+
 function _get_current_date() {
     local timestamp=$(python -c "from datetime import datetime, timedelta, timezone; print(format(datetime.now(timezone.utc), '%Y-%m-%dT%H:%M:%SZ'))")
     echo "${timestamp}"