diff --git a/infrastructure/terraform/.gitignore b/infrastructure/terraform/.gitignore
index f0d9138..ed83c6d 100644
--- a/infrastructure/terraform/.gitignore
+++ b/infrastructure/terraform/.gitignore
@@ -14,6 +14,9 @@ components/**/backend_tfscaffold.tf
 **/work/*
 **/*tfstate.lock.info
 
+# NHS Notify Build context
+bootstrap
+
 # Scaffold Plugin Cache
 plugin-cache/*
 
diff --git a/infrastructure/terraform/components/acct/route_53_record_root.tf b/infrastructure/terraform/components/acct/route_53_record_root.tf
new file mode 100644
index 0000000..f9de4d4
--- /dev/null
+++ b/infrastructure/terraform/components/acct/route_53_record_root.tf
@@ -0,0 +1,8 @@
+# Record to support Cognito Hosted UIs per https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-add-custom-domain.html
+resource "aws_route53_record" "root" {
+  name    = ""
+  zone_id = aws_route53_zone.main.id
+  type    = "A"
+  ttl     = 300
+  records = ["127.0.0.1"]
+}
diff --git a/infrastructure/terraform/components/iam/acm_certificate_cognito.tf b/infrastructure/terraform/components/iam/acm_certificate_cognito.tf
new file mode 100644
index 0000000..c550b58
--- /dev/null
+++ b/infrastructure/terraform/components/iam/acm_certificate_cognito.tf
@@ -0,0 +1,16 @@
+resource "aws_acm_certificate" "cognito" {
+  provider = aws.us-east-1
+
+  domain_name       = local.auth_domain_name
+  validation_method = "DNS"
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
+
+resource "aws_acm_certificate_validation" "cognito" {
+  provider = aws.us-east-1
+
+  certificate_arn = aws_acm_certificate.cognito.arn
+}
diff --git a/infrastructure/terraform/components/iam/amplify_app.tf b/infrastructure/terraform/components/iam/amplify_app.tf
index 4e38e19..9fcbb4e 100644
--- a/infrastructure/terraform/components/iam/amplify_app.tf
+++ b/infrastructure/terraform/components/iam/amplify_app.tf
@@ -15,10 +15,10 @@ resource "aws_amplify_app" "main" {
   ]
 
   environment_variables = {
-    USER_POOL_ID = aws_cognito_user_pool.main.id
-    # HOSTED_LOGIN_DOMAIN = "auth.${local.root_domain_name}"
-    NOTIFY_GROUP       = var.group
-    NOTIFY_ENVIRONMENT = var.environment
-    NOTIFY_DOMAIN_NAME = local.root_domain_name
+    USER_POOL_ID        = aws_cognito_user_pool.main.id
+    HOSTED_LOGIN_DOMAIN = local.auth_domain_name
+    NOTIFY_GROUP        = var.group
+    NOTIFY_ENVIRONMENT  = var.environment
+    NOTIFY_DOMAIN_NAME  = local.root_domain_name
   }
 }
diff --git a/infrastructure/terraform/components/iam/cognito_user_pool_client.tf b/infrastructure/terraform/components/iam/cognito_user_pool_client.tf
index 25faaf3..1a0c89b 100644
--- a/infrastructure/terraform/components/iam/cognito_user_pool_client.tf
+++ b/infrastructure/terraform/components/iam/cognito_user_pool_client.tf
@@ -5,8 +5,8 @@ resource "aws_cognito_user_pool_client" "main" {
   callback_urls = flatten([
     var.cognito_user_pool_additional_callback_urls,
     [
-      "https://${local.csi}.${local.acct.dns_zone["name"]}/auth/",
-      "https://${local.csi}.${aws_amplify_app.main.id}.amplifyapp.com/auth/"
+      "https://${var.environment}.${local.acct.dns_zone["name"]}/auth/",
+      "https://${aws_amplify_app.main.default_domain}/auth/"
     ]
   ])
 
diff --git a/infrastructure/terraform/components/iam/cognito_user_pool_domain.tf b/infrastructure/terraform/components/iam/cognito_user_pool_domain.tf
index f27f8d7..fe991d3 100644
--- a/infrastructure/terraform/components/iam/cognito_user_pool_domain.tf
+++ b/infrastructure/terraform/components/iam/cognito_user_pool_domain.tf
@@ -2,3 +2,11 @@ resource "aws_cognito_user_pool_domain" "main" {
   user_pool_id = aws_cognito_user_pool.main.id
   domain       = local.csi
 }
+
+resource "aws_cognito_user_pool_domain" "custom" {
+  user_pool_id    = aws_cognito_user_pool.main.id
+  certificate_arn = aws_acm_certificate.cognito.arn
+  domain          = local.auth_domain_name
+
+  depends_on = [aws_route53_record.root]
+}
diff --git a/infrastructure/terraform/components/iam/locals.tf b/infrastructure/terraform/components/iam/locals.tf
index db67ae9..ba0afe4 100644
--- a/infrastructure/terraform/components/iam/locals.tf
+++ b/infrastructure/terraform/components/iam/locals.tf
@@ -1,3 +1,4 @@
 locals {
   root_domain_name = "${var.environment}.${local.acct.dns_zone["name"]}"
+  auth_domain_name = "auth.${local.root_domain_name}"
 }
diff --git a/infrastructure/terraform/components/iam/route53_record_cognito.tf b/infrastructure/terraform/components/iam/route53_record_cognito.tf
new file mode 100644
index 0000000..2c4ea11
--- /dev/null
+++ b/infrastructure/terraform/components/iam/route53_record_cognito.tf
@@ -0,0 +1,25 @@
+resource "aws_route53_record" "cognito_alias" {
+  name    = aws_cognito_user_pool_domain.custom.domain
+  zone_id = local.acct.dns_zone["id"]
+  type    = "A"
+
+  alias {
+    evaluate_target_health = false
+
+    name    = aws_cognito_user_pool_domain.main.cloudfront_distribution
+    zone_id = aws_cognito_user_pool_domain.main.cloudfront_distribution_zone_id
+  }
+}
+
+resource "aws_route53_record" "cognito_ipv6_alias" {
+  name    = aws_cognito_user_pool_domain.custom.domain
+  zone_id = local.acct.dns_zone["id"]
+  type    = "AAAA"
+
+  alias {
+    evaluate_target_health = false
+
+    name    = aws_cognito_user_pool_domain.main.cloudfront_distribution
+    zone_id = aws_cognito_user_pool_domain.main.cloudfront_distribution_zone_id
+  }
+}
diff --git a/infrastructure/terraform/components/iam/route53_record_cognito_acm_validation.tf b/infrastructure/terraform/components/iam/route53_record_cognito_acm_validation.tf
new file mode 100644
index 0000000..b609860
--- /dev/null
+++ b/infrastructure/terraform/components/iam/route53_record_cognito_acm_validation.tf
@@ -0,0 +1,17 @@
+resource "aws_route53_record" "cognito_acm_validation" {
+  for_each = {
+    for dvo in aws_acm_certificate.cognito.domain_validation_options :
+    dvo.domain_name => {
+      name   = dvo.resource_record_name
+      record = dvo.resource_record_value
+      type   = dvo.resource_record_type
+    }
+  }
+
+  allow_overwrite = true
+  name            = each.value.name
+  records         = [each.value.record]
+  type            = each.value.type
+  zone_id         = local.acct.dns_zone["id"]
+  ttl             = 60
+}
diff --git a/infrastructure/terraform/components/iam/route53_record_root.tf b/infrastructure/terraform/components/iam/route53_record_root.tf
new file mode 100644
index 0000000..e7f9e3d
--- /dev/null
+++ b/infrastructure/terraform/components/iam/route53_record_root.tf
@@ -0,0 +1,8 @@
+# Record to support Cognito Hosted UIs per https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-add-custom-domain.html
+resource "aws_route53_record" "root" {
+  name    = local.root_domain_name
+  zone_id = local.acct.dns_zone["id"]
+  type    = "A"
+  ttl     = 300
+  records = ["127.0.0.1"]
+}
diff --git a/infrastructure/terraform/etc/.gitignore b/infrastructure/terraform/etc/.gitignore
new file mode 100644
index 0000000..c45cf41
--- /dev/null
+++ b/infrastructure/terraform/etc/.gitignore
@@ -0,0 +1 @@
+*.tfvars