diff --git a/terraform/README.md b/terraform/README.md
index df6c1e19e..ba87802eb 100644
--- a/terraform/README.md
+++ b/terraform/README.md
@@ -1,6 +1,8 @@
 # Terraform Configuration
 
-Most everything that is part of UNIVAF runs in AWS, and the configuration for pretty much everything is stored here as [Terraform][] code. Whenever these files are changed, Terraform Cloud (a Terraform as a service offering) will pick up on it and develop a plan for what needs to actually change in AWS and, if the commit is on the `main` branch, automatically apply those changes.
+The production UNIVAF service at [getmyvax.org](https://getmyvax.org) was shut down on June 15, 2023. The remaining configuration code here supports historical archives and a shutdown notice page. If you are planning to deploy your own copy of UNIVAF to AWS, you can use the former production Terraform code in the [`./deprecated`](./deprecated) folder as guide.
+
+Whenever these files are changed, Terraform Cloud (a Terraform as a service offering) will pick up on it and develop a plan for what needs to actually change in AWS and, if the commit is on the `main` branch, automatically apply those changes.
 
 For more on Terraform configuration files, check out the [reference docs][terraform-docs].
 
diff --git a/terraform/deprecated/api-autoscaling.tf b/terraform/deprecated/api-autoscaling.tf
new file mode 100644
index 000000000..8e1bf33c2
--- /dev/null
+++ b/terraform/deprecated/api-autoscaling.tf
@@ -0,0 +1,92 @@
+# Scale the API service up and down depending on usage.
+#
+# The target defines the resource to be scaled and its limits, while the
+# policies do the actual scaling (and define how much and how often to do so),
+# and the alarms ultimately define the conditions under which to scale and call
+# the policies when those conditions are met.
+
+resource "aws_appautoscaling_target" "target" {
+  service_namespace  = "ecs"
+  resource_id        = "service/${aws_ecs_cluster.main.name}/${aws_ecs_service.api_service.name}"
+  scalable_dimension = "ecs:service:DesiredCount"
+  min_capacity       = 2
+  max_capacity       = 4
+}
+
+# Automatically scale capacity up by one
+resource "aws_appautoscaling_policy" "up" {
+  name               = "api_scale_up"
+  service_namespace  = aws_appautoscaling_target.target.service_namespace
+  resource_id        = aws_appautoscaling_target.target.resource_id
+  scalable_dimension = aws_appautoscaling_target.target.scalable_dimension
+
+  step_scaling_policy_configuration {
+    adjustment_type         = "ChangeInCapacity"
+    cooldown                = 60
+    metric_aggregation_type = "Maximum"
+
+    step_adjustment {
+      metric_interval_lower_bound = 0
+      scaling_adjustment          = 1
+    }
+  }
+}
+
+# Automatically scale capacity down by one
+resource "aws_appautoscaling_policy" "down" {
+  name               = "api_scale_down"
+  service_namespace  = aws_appautoscaling_target.target.service_namespace
+  resource_id        = aws_appautoscaling_target.target.resource_id
+  scalable_dimension = aws_appautoscaling_target.target.scalable_dimension
+
+  step_scaling_policy_configuration {
+    adjustment_type         = "ChangeInCapacity"
+    cooldown                = 60
+    metric_aggregation_type = "Maximum"
+
+    step_adjustment {
+      metric_interval_upper_bound = 0
+      scaling_adjustment          = -1
+    }
+  }
+}
+
+# CloudWatch alarm that triggers the autoscaling up policy
+resource "aws_cloudwatch_metric_alarm" "service_cpu_high" {
+  alarm_name          = "api_cpu_utilization_high"
+  comparison_operator = "GreaterThanOrEqualToThreshold"
+  datapoints_to_alarm = "1"
+  evaluation_periods  = "1"
+  metric_name         = "CPUUtilization"
+  namespace           = "AWS/ECS"
+  period              = "60"
+  statistic           = "Average"
+  threshold           = "55"
+
+  dimensions = {
+    ClusterName = aws_ecs_cluster.main.name
+    ServiceName = aws_ecs_service.api_service.name
+  }
+
+  alarm_actions = [aws_appautoscaling_policy.up.arn]
+}
+
+# CloudWatch alarm that triggers the autoscaling down policy
+resource "aws_cloudwatch_metric_alarm" "service_cpu_low" {
+  alarm_name          = "api_cpu_utilization_low"
+  comparison_operator = "LessThanOrEqualToThreshold"
+  datapoints_to_alarm = "2"
+  evaluation_periods  = "2"
+  metric_name         = "CPUUtilization"
+  namespace           = "AWS/ECS"
+  period              = "60"
+  statistic           = "Average"
+  threshold           = "15"
+
+  dimensions = {
+    ClusterName = aws_ecs_cluster.main.name
+    ServiceName = aws_ecs_service.api_service.name
+  }
+
+  alarm_actions = [aws_appautoscaling_policy.down.arn]
+}
diff --git a/terraform/deprecated/api-domains.tf b/terraform/deprecated/api-domains.tf
new file mode 100644
index 000000000..0b4d229db
--- /dev/null
+++ b/terraform/deprecated/api-domains.tf
@@ -0,0 +1,195 @@
+# Domains and CDN/Caching Layers
+#
+# The DNS zone (defined by the `domain_name` variable) should be manually
+# created in the AWS console, but all the records for the domain and subdomains
+# are managed here in code.
+#
+# The domains all point to CloudFront distributions for caching and DOS
+# protection. These are only turned on if there is also an SSL certificate
+# (set in the `ssl_certificate_arn` variable, and which also needs to be
+# created manually in the AWS console).
+
+locals {
+  # The domain of the API service's load balancer (not for public use).
+  api_internal_subdomain = "api.internal"
+  api_internal_domain = (
+    var.domain_name != ""
+    ? "${local.api_internal_subdomain}.${var.domain_name}"
+    : ""
+  )
+
+  # Domain at which to serve archived, historical data (stored in S3).
+  data_snapshots_subdomain = "archives"
+  data_snapshots_domain = (
+    var.domain_name != ""
+    ? "${local.data_snapshots_subdomain}.${var.domain_name}"
+    : ""
+  )
+}
+
+# Domain DNS Recods -----------------------------------------------------------
+
+data "aws_route53_zone" "domain_zone" {
+  count = var.domain_name != "" ? 1 : 0
+  name  = var.domain_name
+}
+
+# DNS record for the domain specified in the `domain_name` variable.
+resource "aws_route53_record" "api_domain_record" {
+  count = var.domain_name != "" ? 1 : 0
+
+  zone_id = data.aws_route53_zone.domain_zone[0].zone_id
+  name    = var.domain_name
+  type    = "A"
+
+  alias {
+    name                   = aws_cloudfront_distribution.univaf_api_ecs[0].domain_name
+    zone_id                = aws_cloudfront_distribution.univaf_api_ecs[0].hosted_zone_id
+    evaluate_target_health = false
+  }
+}
+
+# The `www.` subdomain. It is an alias for the primary domain name.
+resource "aws_route53_record" "api_www_domain_record" {
+  count   = var.domain_name != "" ? 1 : 0
+  zone_id = data.aws_route53_zone.domain_zone[0].zone_id
+  name    = "www"
+  type    = "CNAME"
+  records = [var.domain_name]
+  ttl     = 300
+}
+
+# The `api.internal` subdomain. Used for the API service's load balancer so it
+# can be secured with HTTPS.
+resource "aws_route53_record" "api_load_balancer_domain_record" {
+  count = var.domain_name != "" ? 1 : 0
+
+  zone_id = data.aws_route53_zone.domain_zone[0].zone_id
+  name    = local.api_internal_subdomain
+  type    = "A"
+
+  alias {
+    name                   = aws_alb.main.dns_name
+    zone_id                = aws_alb.main.zone_id
+    evaluate_target_health = false
+  }
+}
+
+# The `ecs.` subdomain.
+# This specifically points to the deployment on ECS (as opposed to a possible
+# external host).
+resource "aws_route53_record" "api_ecs_domain_record" {
+  count = var.domain_name != "" ? 1 : 0
+
+  zone_id = data.aws_route53_zone.domain_zone[0].zone_id
+  name    = "ecs"
+  type    = "A"
+
+  alias {
+    name                   = aws_cloudfront_distribution.univaf_api_ecs[0].domain_name
+    zone_id                = aws_cloudfront_distribution.univaf_api_ecs[0].hosted_zone_id
+    evaluate_target_health = false
+  }
+}
+
+
+# CloudFront ------------------------------------------------------------------
+
+# Use CloudFront as a caching layer in front of the API server that's running
+# in ECS. Enabled only if var.domain and var.ssl_certificate_arn are provided.
+resource "aws_cloudfront_distribution" "univaf_api_ecs" {
+  count = (
+    var.domain_name != ""
+    && var.ssl_certificate_arn != "" ? 1 : 0
+  )
+  enabled     = true
+  price_class = "PriceClass_100" # North America
+  aliases = [
+    var.domain_name,
+    "www.${var.domain_name}",
+    "ecs.${var.domain_name}"
+  ]
+  http_version = "http2and3"
+
+  origin {
+    origin_id   = "ecs.${var.domain_name}"
+    domain_name = local.api_internal_domain
+
+    custom_header {
+      name  = var.api_cloudfront_secret_header_name
+      value = var.api_cloudfront_secret
+    }
+
+    custom_origin_config {
+      http_port              = 80
+      https_port             = 443
+      origin_ssl_protocols   = ["SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2"]
+      origin_protocol_policy = "https-only"
+    }
+  }
+
+  default_cache_behavior {
+    allowed_methods        = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
+    cached_methods         = ["GET", "HEAD"]
+    target_origin_id       = "ecs.${var.domain_name}"
+    viewer_protocol_policy = "redirect-to-https"
+    min_ttl                = 0
+    max_ttl                = 3600
+
+    forwarded_values {
+      headers      = ["Host", "Origin", "Authorization", "x-api-key"]
+      query_string = true
+
+      cookies {
+        forward = "none"
+      }
+    }
+  }
+
+  viewer_certificate {
+    acm_certificate_arn = var.ssl_certificate_arn
+    ssl_support_method  = "sni-only"
+  }
+
+  restrictions {
+    geo_restriction {
+      restriction_type = "none"
+    }
+  }
+}
+
+# Provide a protective caching layer and a nice domain name for the S3 bucket
+# with historical data. (Allowing direct public access can get expensive.)
+# Docs: https://github.com/cloudposse/terraform-aws-cloudfront-s3-cdn
+module "univaf_data_snaphsots_cdn" {
+  count = (
+    var.domain_name != ""
+    && var.ssl_certificate_arn != "" ? 1 : 0
+  )
+  source  = "cloudposse/cloudfront-s3-cdn/aws"
+  version = "0.90.0"
+
+  origin_bucket                     = aws_s3_bucket.data_snapshots.bucket
+  dns_alias_enabled                 = true
+  aliases                           = [local.data_snapshots_domain]
+  parent_zone_id                    = data.aws_route53_zone.domain_zone[0].zone_id
+  acm_certificate_arn               = var.ssl_certificate_arn
+  cloudfront_access_logging_enabled = false
+
+  default_ttl     = 60 * 60 * 24 * 7 # 1 Week
+  http_version    = "http2and3"
+  allowed_methods = ["GET", "HEAD", "OPTIONS"]
+  cached_methods  = ["GET", "HEAD", "OPTIONS"]
+  # By default, CORS headers are forwarded, but we don't really care about them
+  # since the bucket is not operating in "website" mode.
+  forward_header_values = []
+
+  # HACK: this module creates bad values if you don't explicitly set one or
+  # more of namespace, environment, stage, name, or attributes.
+  # Basically, Cloud Posse modules generate an internal ID from the above,
+  # and that ID is used for lots of things. Bad stuff happens if it is empty.
+  # This issue is marked as closed, but is not actually solved:
+  # https://github.com/cloudposse/terraform-aws-cloudfront-s3-cdn/issues/151
+  namespace = "cp"
+  name      = "univaf_data_snaphsots_cdn"
+}
diff --git a/terraform/deprecated/api.tf b/terraform/deprecated/api.tf
new file mode 100644
index 000000000..72b8ecbd4
--- /dev/null
+++ b/terraform/deprecated/api.tf
@@ -0,0 +1,264 @@
+# API Service
+#
+# The API server (code in the `server` directory) runs as a service on ECS. It
+# serves the public API and receives updates from the loaders.
+#
+# The API also has a scheduled job that runs once a day to archive the state of
+# the database and log all the updates it received that day. That job is also
+# a task that runs on ECS (but just a task that runs to completion, not a
+# service that ECS keeps running).
+
+# Only HTTP(S) traffic should go through the API server's load balancer.
+resource "aws_security_group" "lb" {
+  name        = "univaf-api-load-balancer-security-group"
+  description = "Controls access to the API server load balancer"
+  vpc_id      = aws_vpc.main.id
+
+  # HTTP
+  ingress {
+    protocol    = "tcp"
+    from_port   = 80
+    to_port     = 80
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  # HTTPS
+  ingress {
+    protocol    = "tcp"
+    from_port   = 443
+    to_port     = 443
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    protocol    = "-1"
+    from_port   = 0
+    to_port     = 0
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}
+
+# Traffic to the tasks that run the the API server in ECS should only accept
+# traffic from the load balancer; the public internet and other resources in AWS
+# should not be able to route directly to them.
+resource "aws_security_group" "api_server_tasks" {
+  name        = "univaf-api-server-tasks-security-group"
+  description = "Allow inbound access only from the load balancer"
+  vpc_id      = aws_vpc.main.id
+
+  ingress {
+    protocol        = "tcp"
+    from_port       = var.api_port
+    to_port         = var.api_port
+    security_groups = [aws_security_group.lb.id]
+  }
+
+  egress {
+    protocol    = "-1"
+    from_port   = 0
+    to_port     = 0
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}
+
+# API Service -----------------------------------------------------------------
+
+# The actual task that runs on ECS.
+module "api_task" {
+  source = "./modules/task"
+
+  name  = "api"
+  image = "${aws_ecr_repository.server_repository.repository_url}:${var.api_release_version}"
+  role  = aws_iam_role.ecs_task_execution_role.arn
+  # Only certain CPU/Memory combinations are allowed. See:
+  # https://docs.aws.amazon.com/AmazonECS/latest/developerguide/AWS_Fargate.html#fargate-tasks-size
+  cpu    = var.api_cpu
+  memory = var.api_memory
+  port   = var.api_port
+
+  # Enable Datadog
+  datadog_enabled = true
+  datadog_api_key = var.datadog_api_key
+
+  env_vars = {
+    RELEASE                   = var.api_release_version
+    DB_HOST                   = module.db.host
+    DB_NAME                   = module.db.db_name
+    DB_USERNAME               = var.db_user
+    DB_PASSWORD               = var.db_password
+    DB_POOL_SIZE_DATA         = format("%d", var.api_db_pool_size_data)
+    DB_POOL_SIZE_AVAILABILITY = format("%d", var.api_db_pool_size_availability)
+    API_KEYS                  = join(",", var.api_keys)
+    SENTRY_DSN                = var.api_sentry_dsn
+    SENTRY_TRACES_SAMPLE_RATE = format("%.2f", var.api_sentry_traces_sample_rate)
+    PRIMARY_HOST              = var.domain_name
+    API_SUNSET_DATE           = var.api_sunset_date
+  }
+
+  depends_on = [aws_alb_listener.front_end, aws_iam_role_policy_attachment.ecs_task_execution_role]
+}
+
+# The service's load balancer.
+resource "aws_alb" "main" {
+  name                       = "api-load-balancer"
+  subnets                    = aws_subnet.public.*.id
+  security_groups            = [aws_security_group.lb.id]
+  drop_invalid_header_fields = true
+}
+
+resource "aws_alb_target_group" "api" {
+  name        = "api-target-group"
+  port        = var.api_port
+  protocol    = "HTTP"
+  vpc_id      = aws_vpc.main.id
+  target_type = "ip"
+
+  health_check {
+    healthy_threshold   = "3"
+    interval            = "30"
+    protocol            = "HTTP"
+    matcher             = "200"
+    timeout             = "3"
+    path                = var.api_health_check_path
+    unhealthy_threshold = "2"
+  }
+}
+
+# Redirect all traffic from the ALB to the target group
+resource "aws_alb_listener" "front_end" {
+  load_balancer_arn = aws_alb.main.id
+  port              = 80
+  protocol          = "HTTP"
+
+  default_action {
+    type = "redirect"
+
+    redirect {
+      port        = "443"
+      protocol    = "HTTPS"
+      status_code = "HTTP_301"
+    }
+  }
+}
+
+# Redirect all traffic from the ALB to the target group
+resource "aws_alb_listener" "front_end_https" {
+  load_balancer_arn = aws_alb.main.id
+  port              = 443
+  protocol          = "HTTPS"
+  ssl_policy        = "ELBSecurityPolicy-FS-1-2-Res-2020-10"
+  certificate_arn   = var.ssl_certificate_arn_api_internal
+
+  # Other rules below will forward if the request is OK.
+  default_action {
+    type = "fixed-response"
+
+    fixed_response {
+      content_type = "text/plain"
+      message_body = "Access Denied"
+      status_code  = "403"
+    }
+  }
+}
+
+resource "aws_alb_listener_rule" "redirect_www" {
+  listener_arn = aws_alb_listener.front_end_https.arn
+  priority     = 10
+
+  condition {
+    host_header {
+      values = ["www.${var.domain_name}"]
+    }
+  }
+
+  action {
+    type = "redirect"
+
+    redirect {
+      host        = var.domain_name
+      port        = "443"
+      protocol    = "HTTPS"
+      status_code = "HTTP_301"
+    }
+  }
+}
+
+# If a special secret is required for access (i.e. to allow only CloudFront and
+# not any request directly from the public internet), check it before forwarding
+# to the API service.
+resource "aws_lb_listener_rule" "api_forward_if_secret_header" {
+  listener_arn = aws_alb_listener.front_end_https.arn
+  priority     = 20
+
+  action {
+    type             = "forward"
+    target_group_arn = aws_alb_target_group.api.arn
+  }
+
+  # Add a condition requiring a secret header only if there's a secret to check.
+  dynamic "condition" {
+    for_each = var.api_cloudfront_secret != "" ? [1] : []
+    content {
+      http_header {
+        http_header_name = var.api_cloudfront_secret_header_name
+        values           = [var.api_cloudfront_secret]
+      }
+    }
+  }
+
+  # There must be >= 1 condition; this is a no-op in case there's no secret.
+  condition {
+    source_ip {
+      values = ["0.0.0.0/0"]
+    }
+  }
+}
+
+# Allow requests in if they have a valid API key.
+resource "aws_lb_listener_rule" "api_forward_if_api_key" {
+  listener_arn = aws_alb_listener.front_end_https.arn
+  priority     = 30
+
+  action {
+    type             = "forward"
+    target_group_arn = aws_alb_target_group.api.arn
+  }
+
+  condition {
+    http_header {
+      http_header_name = "x-api-key"
+      values           = var.api_keys
+    }
+  }
+}
+
+# This service definition keeps the API server task running, connects it to the
+# load balancer, and manages multiple instances. (The actual scaling policies
+# are in a separate file.)
+resource "aws_ecs_service" "api_service" {
+  name            = "api"
+  cluster         = aws_ecs_cluster.main.id
+  task_definition = module.api_task.arn
+  desired_count   = 1 # This will get adjusted by autoscaling rules
+  launch_type     = "FARGATE"
+
+  lifecycle {
+    # Autoscaling rules will tweak this dynamically. Ignore it so Terraform
+    # doesn't reset things on every run.
+    ignore_changes = [desired_count]
+  }
+
+  network_configuration {
+    security_groups  = [aws_security_group.api_server_tasks.id, module.db.access_group_id]
+    subnets          = aws_subnet.public.*.id
+    assign_public_ip = true
+  }
+
+  load_balancer {
+    target_group_arn = aws_alb_target_group.api.id
+    container_name   = "api"
+    container_port   = var.api_port
+  }
+
+  depends_on = [aws_alb_listener.front_end, aws_iam_role_policy_attachment.ecs_task_execution_role, module.api_task]
+}
diff --git a/terraform/deprecated/bastion.tf b/terraform/deprecated/bastion.tf
new file mode 100644
index 000000000..17edfe386
--- /dev/null
+++ b/terraform/deprecated/bastion.tf
@@ -0,0 +1,28 @@
+# Bastion Server
+#
+# To access to services running on a private subnet, you can SSH into the
+# "bastion" server (which is in one of the public subnets and can see into the
+# private ones) and do your work from that SSH session.
+#
+# The bastion server itself is manually created, and uses this security group.
+resource "aws_security_group" "bastion_security_group" {
+
+  name        = "bastion-security"
+  description = "Allows SSH access to bastion server"
+  vpc_id      = aws_vpc.main.id
+
+  ingress {
+    description = ""
+    from_port   = 22
+    to_port     = 22
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}
diff --git a/terraform/deprecated/cron-data-snapshot.tf b/terraform/deprecated/cron-data-snapshot.tf
new file mode 100644
index 000000000..696305fd2
--- /dev/null
+++ b/terraform/deprecated/cron-data-snapshot.tf
@@ -0,0 +1,35 @@
+# Daily Data Snapshot Cron Job
+#
+# The "daily data snapshot" task runs once a day to archive the contents of the
+# database and update logs to S3 so others can do historical analysis.
+
+module "daily_data_snapshot_task" {
+  source = "./modules/task"
+
+  name    = "daily-data-snapshot"
+  image   = "${aws_ecr_repository.server_repository.repository_url}:${var.api_release_version}"
+  command = ["node", "dist/scripts/availability_dump.js", "--write-to-s3", "--clear-log"]
+  role    = aws_iam_role.ecs_task_execution_role.arn
+
+  env_vars = {
+    DB_HOST                 = module.db.host
+    DB_NAME                 = module.db.db_name
+    DB_USERNAME             = var.db_user
+    DB_PASSWORD             = var.db_password
+    SENTRY_DSN              = var.api_sentry_dsn
+    DATA_SNAPSHOT_S3_BUCKET = var.data_snapshot_s3_bucket
+    AWS_ACCESS_KEY_ID       = var.data_snapshot_aws_key_id
+    AWS_SECRET_ACCESS_KEY   = var.data_snapshot_aws_secret_key
+    AWS_DEFAULT_REGION      = var.aws_region
+  }
+}
+
+module "daily_data_snapshot_schedule" {
+  source = "./modules/schedule"
+
+  schedule        = "cron(0 1 * * ? *)"
+  task            = module.daily_data_snapshot_task
+  cluster_arn     = aws_ecs_cluster.main.arn
+  subnets         = aws_subnet.public.*.id
+  security_groups = [aws_security_group.cron_job_tasks.id, module.db.access_group_id]
+}
diff --git a/terraform/deprecated/cron-loaders.tf b/terraform/deprecated/cron-loaders.tf
new file mode 100644
index 000000000..3b2caa803
--- /dev/null
+++ b/terraform/deprecated/cron-loaders.tf
@@ -0,0 +1,105 @@
+# Data Loaders
+#
+# The loader is a script that reads data from various sources (e.g. Walgreens,
+# PrepMod, the CDC), transforms the data into UNIVAF's format, and sends it to
+# the API server to store in the database. These are basically ETL jobs.
+#
+# To run it on ECS, we define a separate task that runs the loader for each
+# data source on a given schedule (it's possible to run multiple sources at
+# once, but keeping them as separate tasks makes management a little easier).
+# Some sources have additional CLI options or environment variables (e.g. API
+# keys relevant to that source).
+
+locals {
+  # Define the loader tasks. The keys name the task, and the values are a map
+  # that can have:
+  # - `schedule` (required) a `cron()` or `rate()` expression for when to run.
+  # - `env_vars` a map of extra environment variables to set.
+  # - `options` list of extra CLI options to pass to the loader.
+  # - `sources` list of sources to load. If not set, the key will be used.
+  #     For example, these listings are the same:
+  #       njvss = { schedule = "rate(5 minutes)" }
+  #       njvss = { schedule = "rate(5 minutes)", sources = ["njvss"] }
+  loaders = {
+    njvss = {
+      schedule = "rate(15 minutes)"
+      env_vars = {
+        NJVSS_AWS_KEY_ID     = var.njvss_aws_key_id
+        NJVSS_AWS_SECRET_KEY = var.njvss_aws_secret_key
+      }
+    },
+    waDoh             = { schedule = "cron(3/30 * * * ? *)" }
+    cvsSmart          = { schedule = "cron(3/15 * * * ? *)" }
+    walgreensSmart    = { schedule = "cron(2/15 * * * ? *)" }
+    albertsonsScraper = { schedule = "cron(20/30 * * * ? *)" }
+    hyvee             = { schedule = "cron(8/15 * * * ? *)" }
+    heb               = { schedule = "cron(1/15 * * * ? *)" }
+    cdcApi = {
+      schedule = "cron(0 0,12 * * ? *)"
+      # CDC updates are often slow; set stale threshold to 3 days.
+      options = ["--stale-threshold", "172800000"]
+    }
+    riteAidScraper = { schedule = "cron(5/30 * * * ? *)" }
+    riteAidApi = {
+      schedule = "cron(0/15 * * * ? *)"
+      env_vars = {
+        RITE_AID_URL = var.rite_aid_api_url
+        RITE_AID_KEY = var.rite_aid_api_key
+      }
+    }
+    prepmod = {
+      schedule = "cron(9/15 * * * ? *)"
+      options  = ["--states", "AK,WA", "--hide-missing-locations"]
+    }
+
+    # Kroger appears to have shut things off entirely. We just want to run them
+    # enough to know if they start working again.
+    krogerSmart = { schedule = "cron(0 1/6 * * ? *)" }
+  }
+}
+
+module "source_loader" {
+  source   = "./modules/task"
+  for_each = local.loaders
+
+  depends_on = [aws_alb.main]
+
+  name = each.key
+  command = concat(
+    ["--filter-stale-data"],
+    lookup(each.value, "options", []),
+    lookup(each.value, "sources", [each.key]),
+  )
+  env_vars = merge({
+    # NOTE: loaders go directly to the API load balancer, not CloudFront.
+    API_URL = (
+      local.api_internal_domain != ""
+      ? "https://${local.api_internal_domain}"
+      : "http://${aws_alb.main.dns_name}"
+    )
+    API_KEY         = var.api_keys[0]
+    API_CONCURRENCY = "5"
+    DD_API_KEY      = var.datadog_api_key
+    SENTRY_DSN      = var.loader_sentry_dsn
+  }, lookup(each.value, "env_vars", {}))
+  image = "${aws_ecr_repository.loader_repository.repository_url}:${var.loader_release_version}"
+  role  = aws_iam_role.ecs_task_execution_role.arn
+
+  # Only certain CPU/Memory combinations are allowed. See:
+  # https://docs.aws.amazon.com/AmazonECS/latest/developerguide/AWS_Fargate.html#fargate-tasks-size
+  cpu    = 256
+  memory = 512
+}
+
+module "source_loader_schedule" {
+  source   = "./modules/schedule"
+  for_each = local.loaders
+
+  schedule    = each.value.schedule
+  task        = module.source_loader[each.key]
+  cluster_arn = aws_ecs_cluster.main.arn
+  # Loaders do a lot of traffic getting data from external sources on the public
+  # internet, so they run in our "public" network with an internet gateway.
+  subnets         = aws_subnet.public.*.id
+  security_groups = [aws_security_group.cron_job_tasks.id]
+}
diff --git a/terraform/deprecated/cron.tf b/terraform/deprecated/cron.tf
new file mode 100644
index 000000000..e86d902b3
--- /dev/null
+++ b/terraform/deprecated/cron.tf
@@ -0,0 +1,14 @@
+# Cron Job-like tasks on ECS may need to reach out to other services to load
+# things, but nothing else should be initiating communication with them.
+resource "aws_security_group" "cron_job_tasks" {
+  name        = "univaf-cron-job-tasks-security-group"
+  description = "No inbound access, in univaf-vpc, for ECS Cron Jobs"
+  vpc_id      = aws_vpc.main.id
+
+  egress {
+    protocol    = "-1"
+    from_port   = 0
+    to_port     = 0
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}
diff --git a/terraform/deprecated/db.tf b/terraform/deprecated/db.tf
new file mode 100644
index 000000000..ca3b6f53f
--- /dev/null
+++ b/terraform/deprecated/db.tf
@@ -0,0 +1,22 @@
+# Database on RDS
+#
+# The application's database is managed through RDS. The definition here
+# provides a nice roll-up of settings that are important to manage. See the
+# `rds` module for all the guts of how this is implemented in detail.
+module "db" {
+  source = "./modules/rds"
+
+  name     = "univaf-db"
+  database = "univaf" # RDS does not allow hyphens
+  password = var.db_password
+  username = var.db_user
+
+  allocated_storage            = var.db_size
+  instance_class               = var.db_instance
+  engine                       = "postgres"
+  engine_version               = "14"
+  performance_insights_enabled = true
+
+  vpc_id     = aws_vpc.main.id
+  subnet_ids = aws_subnet.private[*].id
+}
diff --git a/terraform/deprecated/ecr.tf b/terraform/deprecated/ecr.tf
new file mode 100644
index 000000000..1f90869f6
--- /dev/null
+++ b/terraform/deprecated/ecr.tf
@@ -0,0 +1,70 @@
+# ECR (Elastic Container Registry)
+#
+# All our code is run as tasks on ECS, which means they need repositories to
+# store the container images. Images are built and published to these
+# repositories by GitHub Actions.
+
+locals {
+  ecr_keep_10_images_policy = <<EOF
+    {
+      "rules": [
+        {
+          "rulePriority": 1,
+          "description": "Keep last 10 images",
+          "selection": {
+            "tagStatus": "any",
+            "countType": "imageCountMoreThan",
+            "countNumber": 10
+          },
+          "action": {
+            "type": "expire"
+          }
+        }
+      ]
+    }
+  EOF
+}
+
+resource "aws_ecr_repository" "server_repository" {
+  name                 = "univaf-server"
+  image_tag_mutability = "IMMUTABLE"
+
+  image_scanning_configuration {
+    scan_on_push = false
+  }
+}
+
+resource "aws_ecr_lifecycle_policy" "server_repository" {
+  repository = aws_ecr_repository.server_repository.name
+  policy     = local.ecr_keep_10_images_policy
+}
+
+resource "aws_ecr_repository" "loader_repository" {
+  name                 = "univaf-loader"
+  image_tag_mutability = "IMMUTABLE"
+
+  image_scanning_configuration {
+    scan_on_push = false
+  }
+}
+
+resource "aws_ecr_lifecycle_policy" "loader_repository" {
+  repository = aws_ecr_repository.loader_repository.name
+  policy     = local.ecr_keep_10_images_policy
+}
+
+# This repository is maintained only for historical reference. The seed image
+# should not actually ever be used in production.
+resource "aws_ecr_repository" "seed_repository" {
+  name                 = "univaf-db-seed"
+  image_tag_mutability = "IMMUTABLE"
+
+  image_scanning_configuration {
+    scan_on_push = false
+  }
+}
+
+resource "aws_ecr_lifecycle_policy" "seed_repository" {
+  repository = aws_ecr_repository.seed_repository.name
+  policy     = local.ecr_keep_10_images_policy
+}
diff --git a/terraform/deprecated/ecs.tf b/terraform/deprecated/ecs.tf
new file mode 100644
index 000000000..4bb65cbf0
--- /dev/null
+++ b/terraform/deprecated/ecs.tf
@@ -0,0 +1,77 @@
+# ECS Cluster
+#
+# Most UNIVAF code is deployed as tasks that run on an ECS cluster, either as
+# scheduled cron-like scheduled tasks that run to completion, or as services
+# that the cluster will keep running. This file defines the cluster and
+# associated roles/policies needed to run tasks in it.
+
+resource "aws_ecs_cluster" "main" {
+  name = "univaf-cluster"
+
+  # Container Insights is *very* expensive for our configuration, but can be
+  # useful to turn on if granular metrics on cron job resource usage is needed.
+  setting {
+    name  = "containerInsights"
+    value = "disabled"
+  }
+}
+
+
+# Roles -----------------------------------------------------------------------
+
+# Things that need to execute tasks in the ECS cluster should use this role.
+resource "aws_iam_role" "ecs_task_execution_role" {
+  # TODO: consider using jsonencode and/or `inline_policy` blocks to put policy
+  #       definitions inline: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role
+  name               = "univaf-ecs-task-execution"
+  assume_role_policy = data.aws_iam_policy_document.ecs_task_execution_role.json
+}
+
+# Gives the role access to things needed to execute tasks. The policy referenced
+# here is predefined by Amazon.
+resource "aws_iam_role_policy_attachment" "ecs_task_execution_role" {
+  role       = aws_iam_role.ecs_task_execution_role.name
+  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
+}
+
+# Gives the role the ability to run actual tasks.
+resource "aws_iam_role_policy_attachment" "ecs_runtask_policy" {
+  role       = aws_iam_role.ecs_task_execution_role.name
+  policy_arn = aws_iam_policy.ecs_runtask_policy.arn
+}
+
+
+# Policies used in the role/attachments above ---------------------------------
+
+# Defines what resources are allowed to assume a given role.
+data "aws_iam_policy_document" "ecs_task_execution_role" {
+  version = "2012-10-17"
+  statement {
+    sid     = "1"
+    effect  = "Allow"
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["ecs-tasks.amazonaws.com", "events.amazonaws.com"]
+    }
+  }
+}
+
+# Defines the ability to run a task in ECS.
+data "aws_iam_policy_document" "ecs_task_additional_permissions" {
+  version = "2012-10-17"
+  statement {
+    sid     = "1"
+    effect  = "Allow"
+    actions = ["ecs:RunTask", "iam:PassRole"]
+    resources = [
+      "*" # TODO: lock this down
+    ]
+  }
+}
+resource "aws_iam_policy" "ecs_runtask_policy" {
+  name   = "runtask_policy"
+  path   = "/"
+  policy = data.aws_iam_policy_document.ecs_task_additional_permissions.json
+}
diff --git a/terraform/deprecated/main.tf b/terraform/deprecated/main.tf
new file mode 100644
index 000000000..8d4011f0d
--- /dev/null
+++ b/terraform/deprecated/main.tf
@@ -0,0 +1,14 @@
+terraform {
+  required_version = "~> 1.3.2"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 4.52"
+    }
+  }
+}
+
+provider "aws" {
+  region = var.aws_region
+}
diff --git a/terraform/deprecated/modules/rds/main.tf b/terraform/deprecated/modules/rds/main.tf
new file mode 100644
index 000000000..cdb59946e
--- /dev/null
+++ b/terraform/deprecated/modules/rds/main.tf
@@ -0,0 +1,100 @@
+# Other resources that need access to the database *should* use this security
+# group (get its ID from the outputs). That way they depend on the DB, rather
+# than the other way around when using `var.ingress_allow_security_groups`.
+resource "aws_security_group" "db_access" {
+  name        = "${var.name}-rds-access-group"
+  description = "Grants access to DB ${var.name}"
+  vpc_id      = var.vpc_id
+}
+
+resource "aws_security_group" "main" {
+  name        = "${var.name}-rds"
+  description = "Allows traffic to RDS from other security groups"
+  vpc_id      = var.vpc_id
+
+  ingress {
+    from_port = var.port
+    to_port   = var.port
+    protocol  = "TCP"
+    security_groups = concat(
+      [aws_security_group.db_access.id],
+      var.ingress_allow_security_groups
+    )
+  }
+
+  ingress {
+    from_port   = var.port
+    to_port     = var.port
+    protocol    = "TCP"
+    cidr_blocks = var.ingress_allow_cidr_blocks
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = -1
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = {
+    Name = "RDS (${var.name})"
+  }
+}
+
+resource "aws_db_subnet_group" "main" {
+  name        = var.name
+  description = "RDS subnet group"
+  subnet_ids  = var.subnet_ids
+}
+
+resource "aws_db_instance" "main" {
+  identifier = var.name
+
+  # Database
+  engine                       = var.engine
+  engine_version               = var.engine_version
+  allow_major_version_upgrade  = var.allow_major_version_upgrade
+  username                     = coalesce(var.username, var.name)
+  password                     = var.password
+  multi_az                     = var.multi_az
+  db_name                      = coalesce(var.database, var.name)
+  performance_insights_enabled = var.performance_insights_enabled
+
+  # Backups / maintenance
+  backup_retention_period   = var.backup_retention_period
+  backup_window             = var.backup_window
+  maintenance_window        = var.maintenance_window
+  monitoring_interval       = var.monitoring_interval
+  monitoring_role_arn       = var.monitoring_role_arn
+  apply_immediately         = var.apply_immediately
+  final_snapshot_identifier = "${var.name}-finalsnapshot"
+
+  # Hardware
+  instance_class    = var.instance_class
+  storage_type      = var.storage_type
+  allocated_storage = var.allocated_storage
+
+  # Network / security
+  db_subnet_group_name   = aws_db_subnet_group.main.id
+  vpc_security_group_ids = [aws_security_group.main.id]
+  publicly_accessible    = var.publicly_accessible
+}
+
+# Monitor critical metrics and send anomalies to SNS topic
+module "aws_db_instance_alarms" {
+  source            = "lorenzoaiello/rds-alarms/aws"
+  version           = "2.2.0"
+  db_instance_id    = aws_db_instance.main.id
+  db_instance_class = aws_db_instance.main.instance_class
+  actions_alarm     = [aws_sns_topic.alarms_sns.arn]
+  actions_ok        = [aws_sns_topic.alarms_sns.arn]
+
+  # Our basic behavior is bursty -- we send hundreds or thousands of updates
+  # in rapid succession every few minutes, so we expect to regularly go below
+  # 100% burst balance, but not *way* below.
+  disk_burst_balance_too_low_threshold = "80"
+}
+
+resource "aws_sns_topic" "alarms_sns" {
+  name = "aws-db-instance-alarms-topic"
+}
diff --git a/terraform/deprecated/modules/rds/outputs.tf b/terraform/deprecated/modules/rds/outputs.tf
new file mode 100644
index 000000000..67a09f68c
--- /dev/null
+++ b/terraform/deprecated/modules/rds/outputs.tf
@@ -0,0 +1,15 @@
+output "host" {
+  value = aws_db_instance.main.address
+}
+
+output "db_name" {
+  value = aws_db_instance.main.db_name
+}
+
+output "access_group_id" {
+  value = aws_security_group.db_access.id
+}
+
+output "access_group_arn" {
+  value = aws_security_group.db_access.arn
+}
diff --git a/terraform/deprecated/modules/rds/variables.tf b/terraform/deprecated/modules/rds/variables.tf
new file mode 100644
index 000000000..a5beaa65e
--- /dev/null
+++ b/terraform/deprecated/modules/rds/variables.tf
@@ -0,0 +1,118 @@
+variable "name" {
+  description = "RDS instance name"
+}
+
+variable "engine" {
+  description = "Database engine: mysql, postgres, etc."
+  default     = "postgres"
+}
+
+variable "engine_version" {
+  description = "Database version"
+  default     = "13.1"
+}
+
+variable "port" {
+  description = "Port for database to listen on"
+  default     = 5432
+}
+
+variable "database" {
+  description = "The database name for the RDS instance (if not specified, `var.name` will be used)"
+  default     = ""
+}
+
+variable "username" {
+  description = "The username for the RDS instance (if not specified, `var.name` will be used)"
+  default     = ""
+}
+
+variable "password" {
+  description = "Postgres user password"
+}
+
+variable "multi_az" {
+  description = "If true, database will be placed in multiple AZs for HA"
+  default     = false
+}
+
+variable "backup_retention_period" {
+  description = "Backup retention, in days"
+  default     = 5
+}
+
+variable "backup_window" {
+  description = "Time window for backups."
+  default     = "00:00-01:00"
+}
+
+variable "maintenance_window" {
+  description = "Time window for maintenance."
+  default     = "Mon:01:00-Mon:02:00"
+}
+
+variable "monitoring_interval" {
+  description = "Seconds between enhanced monitoring metric collection. 0 disables enhanced monitoring."
+  default     = "0"
+}
+
+variable "monitoring_role_arn" {
+  description = "The ARN for the IAM role that permits RDS to send enhanced monitoring metrics to CloudWatch Logs. Required if monitoring_interval > 0."
+  default     = ""
+}
+
+variable "apply_immediately" {
+  description = "If false, apply changes during maintenance window"
+  default     = true
+}
+
+variable "allow_major_version_upgrade" {
+  description = "If true, major version upgrades are allowed"
+  default     = false
+}
+
+variable "instance_class" {
+  description = "Underlying instance type"
+  default     = "db.t2.micro"
+}
+
+variable "storage_type" {
+  description = "Storage type: standard, gp2, or io1"
+  default     = "gp2"
+}
+
+variable "allocated_storage" {
+  description = "Disk size, in GB"
+  default     = 10
+}
+
+variable "publicly_accessible" {
+  description = "If true, the RDS instance will be open to the internet"
+  default     = false
+}
+
+variable "vpc_id" {
+  description = "The VPC ID to use"
+}
+
+variable "ingress_allow_security_groups" {
+  description = "A list of security group IDs to allow traffic from"
+  type        = list(string)
+  default     = []
+}
+
+variable "ingress_allow_cidr_blocks" {
+  description = "A list of CIDR blocks to allow traffic from"
+  type        = list(string)
+  default     = []
+}
+
+variable "subnet_ids" {
+  description = "A list of subnet IDs"
+  type        = list(string)
+}
+
+variable "performance_insights_enabled" {
+  description = "Enable RDS performance insights"
+  default     = false
+}
diff --git a/terraform/deprecated/modules/schedule/main.tf b/terraform/deprecated/modules/schedule/main.tf
new file mode 100644
index 000000000..53c6f9d19
--- /dev/null
+++ b/terraform/deprecated/modules/schedule/main.tf
@@ -0,0 +1,33 @@
+# Schedule task to run in ECS at a given interval or at set times using a
+# cron-style expression. Uses EventBridge (formerly CloudWatch Events).
+#
+# Schedules can use `rate()` expressions to set a frequency or `cron()`
+# expressions for more complex timing. For details, see
+# https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-schedule-expressions.html
+
+resource "aws_cloudwatch_event_rule" "schedule" {
+  name        = "${var.task.name}-schedule"
+  description = "Runs ${var.task.name} every ${var.schedule}"
+
+  schedule_expression = var.schedule
+  role_arn            = var.task.role
+}
+
+resource "aws_cloudwatch_event_target" "run_task" {
+  rule      = aws_cloudwatch_event_rule.schedule.name
+  arn       = var.cluster_arn
+  target_id = "${var.task.name}-schedule"
+  role_arn  = var.task.role
+
+  ecs_target {
+    task_count          = 1
+    task_definition_arn = var.task.arn
+    launch_type         = "FARGATE"
+
+    network_configuration {
+      subnets          = var.subnets
+      security_groups  = var.security_groups
+      assign_public_ip = true
+    }
+  }
+}
diff --git a/terraform/deprecated/modules/schedule/outputs.tf b/terraform/deprecated/modules/schedule/outputs.tf
new file mode 100644
index 000000000..e69de29bb
diff --git a/terraform/deprecated/modules/schedule/variables.tf b/terraform/deprecated/modules/schedule/variables.tf
new file mode 100644
index 000000000..62b2b6a3a
--- /dev/null
+++ b/terraform/deprecated/modules/schedule/variables.tf
@@ -0,0 +1,26 @@
+variable "task" {
+  description = "The task to run on this schedule"
+  type = object({
+    name = string
+    role = string
+    arn  = string
+  })
+}
+
+variable "schedule" {
+  description = "The expression to schedule at (see https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-schedule-expressions.html)"
+  type        = string
+}
+
+variable "cluster_arn" {
+  description = "The ARN of the ECS cluster to run the task on"
+}
+
+variable "subnets" {
+  description = "The subnets to run the task on"
+}
+
+variable "security_groups" {
+  description = "Any security groups to add to the task"
+  default     = []
+}
diff --git a/terraform/deprecated/modules/task/main.tf b/terraform/deprecated/modules/task/main.tf
new file mode 100644
index 000000000..dae4ed1bc
--- /dev/null
+++ b/terraform/deprecated/modules/task/main.tf
@@ -0,0 +1,121 @@
+
+/**
+ * The task module creates an ECS task definition.
+ *
+ * Usage:
+ *
+ *     module "nginx" {
+ *       source = "./modules/task"
+ *       name   = "nginx"
+ *       image  = "nginx"
+ *     }
+ *
+ */
+
+/**
+ * Define the two container definitions and the ultimate list we want to use
+ */
+locals {
+  env_vars = merge(
+    { ENV = "production", NODE_ENV = "production", SENTRY_ENVIRONMENT = "ecs" },
+    var.env_vars
+  )
+
+  log_group_name = "/ecs/${var.name}"
+
+  datadog_container_def = {
+    name  = "datadog-agent"
+    image = "datadog/agent:latest"
+    environment = [
+      {
+        name  = "DD_API_KEY"
+        value = var.datadog_api_key
+      },
+      {
+        name  = "ECS_FARGATE",
+        value = "true"
+      }
+    ]
+  }
+
+  container_definition = {
+    cpu    = var.cpu
+    memory = var.memory
+
+    name  = var.name
+    image = var.image
+
+    environment = [for key, val in local.env_vars : { name = key, value = val }]
+    entryPoint  = var.entry_point
+    command     = var.command
+
+    essential   = true
+    networkMode = "awsvpc"
+    mountPoints = []
+    portMappings = [
+      {
+        containerPort = var.port
+        hostPort      = var.port
+      }
+    ]
+    logConfiguration = {
+      logDriver = "awslogs"
+      options = {
+        "awslogs-group"         = local.log_group_name
+        "awslogs-region"        = var.aws_region
+        "awslogs-stream-prefix" = "ecs"
+      }
+    }
+  }
+
+  encoded_containers = (
+    var.datadog_enabled
+    ? jsonencode([local.container_definition, local.datadog_container_def])
+    : jsonencode([local.container_definition])
+  )
+}
+
+/**
+ * Resources.
+ */
+
+# The ECS task definition.
+resource "aws_ecs_task_definition" "main" {
+  family             = var.name
+  execution_role_arn = var.role
+
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  network_mode             = "awsvpc"
+  requires_compatibilities = ["FARGATE"]
+  cpu                      = var.cpu
+  memory                   = var.memory
+  container_definitions    = local.encoded_containers
+
+  # TODO: see about running on ARM for less power consumption. I *think* we
+  # need to build the images with:
+  #   docker buildx build --platform linux/amd64,linux/arm64 ...other-args...
+  # See also some tips in:
+  #   https://blog.thesparktree.com/docker-multi-arch-github-actions
+  # runtime_platform {
+  #   operating_system_family = "LINUX"
+  #   cpu_architecture        = "ARM64"
+  # }
+}
+
+# Set up CloudWatch group and log stream and retain logs for 30 days
+resource "aws_cloudwatch_log_group" "log_group" {
+  name              = local.log_group_name
+  retention_in_days = 30
+
+  tags = {
+    Name = var.name
+  }
+}
+
+resource "aws_cloudwatch_log_stream" "log_stream" {
+  name           = "${var.name}-log-stream"
+  log_group_name = aws_cloudwatch_log_group.log_group.name
+}
diff --git a/terraform/deprecated/modules/task/outputs.tf b/terraform/deprecated/modules/task/outputs.tf
new file mode 100644
index 000000000..54adec647
--- /dev/null
+++ b/terraform/deprecated/modules/task/outputs.tf
@@ -0,0 +1,23 @@
+/**
+ * Outputs.
+ */
+
+// The created task definition name
+output "name" {
+  value = aws_ecs_task_definition.main.family
+}
+
+// The created task definition ARN
+output "arn" {
+  value = aws_ecs_task_definition.main.arn
+}
+
+// The task execution role ARN
+output "role" {
+  value = var.role
+}
+
+// The revision number of the task definition
+output "revision" {
+  value = aws_ecs_task_definition.main.revision
+}
diff --git a/terraform/deprecated/modules/task/variables.tf b/terraform/deprecated/modules/task/variables.tf
new file mode 100644
index 000000000..590f13eca
--- /dev/null
+++ b/terraform/deprecated/modules/task/variables.tf
@@ -0,0 +1,74 @@
+/**
+ * Required Variables.
+ */
+
+variable "image" {
+  description = "The docker image name, e.g nginx"
+}
+
+variable "name" {
+  description = "The worker name, if empty the service name is defaulted to the image name"
+}
+
+variable "port" {
+  description = "The docker container port"
+  default     = 3000
+}
+
+/**
+ * Optional Variables.
+ */
+
+variable "cpu" {
+  description = "The number of cpu units to reserve for the container"
+  default     = 1024
+}
+
+variable "env_vars" {
+  description = "The raw json of the task env vars"
+  default     = {}
+}
+
+variable "command" {
+  description = "Command and arguments to run"
+  default     = []
+} # ["--state","NJ","vaccinespotter"]
+
+variable "entry_point" {
+  description = "The docker container entry point"
+  default     = []
+}
+
+variable "image_version" {
+  description = "The docker image version"
+  default     = "latest"
+}
+
+variable "memory" {
+  description = "The number of MiB of memory to reserve for the container"
+  default     = 2048
+}
+
+variable "log_driver" {
+  description = "The log driver to use use for the container"
+  default     = "awslogs"
+}
+
+variable "role" {
+  description = "The IAM Role to assign to the Container"
+  default     = ""
+}
+
+variable "aws_region" {
+  default = "us-west-2"
+}
+
+variable "datadog_enabled" {
+  description = "Should datadog be enabled for this task"
+  default     = false
+}
+
+variable "datadog_api_key" {
+  description = "The datadog api key to be used for this container"
+  default = ""
+}
diff --git a/terraform/deprecated/networks.tf b/terraform/deprecated/networks.tf
new file mode 100644
index 000000000..b652b3d20
--- /dev/null
+++ b/terraform/deprecated/networks.tf
@@ -0,0 +1,64 @@
+# Network Configuration
+#
+# This creates one VPC for all services, with one public and one private subnet
+# in each availability zone (how many zones comes from the `az_count` variable).
+# Services that don't need to be reachable from the public internet
+# (e.g. the database) run in the private networks.
+
+# Fetch AZs in the current region
+data "aws_availability_zones" "available" {}
+
+resource "aws_vpc" "main" {
+  cidr_block = "172.17.0.0/16"
+
+  tags = {
+    Name = "univaf-vpc"
+  }
+}
+
+
+# Public Network --------------------------------------------------------------
+
+# The "public" subnets have an internet gateway and automatically assign public
+# IP addresses to any services in them. Services here can reach out to the
+# internet and things on the internet can reach them, so anything running in
+# these subnets should be protected with narrowly-focused security groups.
+resource "aws_subnet" "public" {
+  count                   = var.az_count
+  cidr_block              = cidrsubnet(aws_vpc.main.cidr_block, 8, var.az_count + count.index)
+  availability_zone       = data.aws_availability_zones.available.names[count.index]
+  vpc_id                  = aws_vpc.main.id
+  map_public_ip_on_launch = true
+
+  tags = {
+    Name = "univaf-public-${count.index}"
+  }
+}
+
+resource "aws_internet_gateway" "gw" {
+  vpc_id = aws_vpc.main.id
+}
+
+# Route the public subnet traffic through the internet gateway above.
+resource "aws_route" "internet_access" {
+  route_table_id         = aws_vpc.main.main_route_table_id
+  destination_cidr_block = "0.0.0.0/0"
+  gateway_id             = aws_internet_gateway.gw.id
+}
+
+
+# Private Network -------------------------------------------------------------
+
+# The "private" subnets do not automatically assign services public IPs and do
+# not have any gateway to the public internet. Only other services in our VPC
+# (any subnet) can communicate with things in it.
+resource "aws_subnet" "private" {
+  count             = var.az_count
+  cidr_block        = cidrsubnet(aws_vpc.main.cidr_block, 8, count.index)
+  availability_zone = data.aws_availability_zones.available.names[count.index]
+  vpc_id            = aws_vpc.main.id
+
+  tags = {
+    Name = "univaf-private-${count.index}"
+  }
+}
diff --git a/terraform/deprecated/outputs.tf b/terraform/deprecated/outputs.tf
new file mode 100644
index 000000000..a59b41c5a
--- /dev/null
+++ b/terraform/deprecated/outputs.tf
@@ -0,0 +1,9 @@
+# outputs.tf
+
+output "alb_hostname" {
+  value = aws_alb.main.dns_name
+}
+
+output "cloudfront_hostname_ecs" {
+  value = aws_cloudfront_distribution.univaf_api_ecs[0].domain_name
+}
diff --git a/terraform/deprecated/s3.tf b/terraform/deprecated/s3.tf
new file mode 100644
index 000000000..6f45d63e9
--- /dev/null
+++ b/terraform/deprecated/s3.tf
@@ -0,0 +1,34 @@
+# S3 Buckets
+#
+# The API server stores historical logs and daily snapshots of the database in
+# S3 for later analysis. It is publicly available via CloudFront, which reads
+# from the bucket.
+
+resource "aws_s3_bucket" "data_snapshots" {
+  bucket = "univaf-data-snapshots"
+}
+
+resource "aws_s3_bucket_acl" "data_snapshots_acl" {
+  bucket = aws_s3_bucket.data_snapshots.id
+  acl    = "private"
+}
+
+resource "aws_s3_bucket_lifecycle_configuration" "data_snapshots" {
+  bucket = aws_s3_bucket.data_snapshots.id
+
+  rule {
+    id     = "Delete old incomplete multipart uploads"
+    status = "Enabled"
+
+    abort_incomplete_multipart_upload {
+      days_after_initiation = 1
+    }
+  }
+}
+
+resource "aws_s3_bucket_versioning" "data_snapshots" {
+  bucket = aws_s3_bucket.data_snapshots.id
+  versioning_configuration {
+    status = "Enabled"
+  }
+}
diff --git a/terraform/deprecated/variables-deploy.tf.json b/terraform/deprecated/variables-deploy.tf.json
new file mode 100644
index 000000000..d6e0b4e18
--- /dev/null
+++ b/terraform/deprecated/variables-deploy.tf.json
@@ -0,0 +1,14 @@
+{
+  "//": "This file is generated by scripts/deploy_infra.sh. DO NOT HAND-EDIT!",
+
+  "variable": {
+    "api_release_version": {
+      "description": "API Release Version",
+      "default": "8600301ffb067aa174a4395c9de9dd99aac20280"
+    },
+    "loader_release_version": {
+      "description": "Loader Release Version",
+      "default": "8600301ffb067aa174a4395c9de9dd99aac20280"
+    }
+  }
+}
diff --git a/terraform/deprecated/variables.tf b/terraform/deprecated/variables.tf
new file mode 100644
index 000000000..7de38a81e
--- /dev/null
+++ b/terraform/deprecated/variables.tf
@@ -0,0 +1,167 @@
+variable "aws_region" {
+  description = "The AWS region things are created in"
+  default     = "us-west-2"
+}
+
+variable "az_count" {
+  description = "Number of AZs to cover (within the chosen region)"
+  default     = 2
+}
+
+variable "ssl_certificate_arn" {
+  description = "To enable HTTPS, the ARN of an SSL certificate created with ACM in us-east-1"
+  default     = ""
+}
+
+variable "ssl_certificate_arn_api_internal" {
+  description = "The ARN of an SSL certificate in ACM to use for the API services load balancer (cerificate must be in the same region as the `aws_region` variable)"
+  default     = ""
+}
+
+variable "domain_name" {
+  description = "The domain name to use for HTTPS traffic"
+  default     = ""
+}
+
+variable "data_snapshot_s3_bucket" {
+  description = "The S3 bucket to store database snapshot data into"
+  default     = "univaf-data-snapshots"
+}
+
+variable "data_snapshot_aws_key_id" {
+  description = "AWS access key ID for writing to the data snapshot S3 bucket"
+  sensitive   = true
+}
+
+variable "data_snapshot_aws_secret_key" {
+  description = "AWS secret key for writing to the data snapshot S3 bucket"
+  sensitive   = true
+}
+
+variable "db_user" {
+  description = "The database user"
+  default     = "univaf"
+}
+
+variable "db_password" {
+  description = "The password for the database instance, filled via Terraform"
+  sensitive   = true
+}
+
+variable "db_instance" {
+  description = "The instance type for the DB. Reference: https://aws.amazon.com/rds/instance-types/"
+  default     = "db.t4g.small"
+}
+
+variable "db_size" {
+  description = "The storage size for the DB (in Gigabytes)"
+  default     = 48
+}
+
+variable "api_cloudfront_secret" {
+  description = "A secret key that must be sent as a header to the API load balancer in order to access it. Used to keep the load balancer from being accessed except by CloudFront. (optional)"
+  type        = string
+  sensitive   = true
+  default     = ""
+}
+
+variable "api_cloudfront_secret_header_name" {
+  description = "Name of the HTTP header to send `api_cloudfront_secret` in."
+  default     = "X-Secret-Access-Key"
+}
+
+variable "api_keys" {
+  description = "List of valid API keys for posting data to the API service. The loaders will use the first key."
+  type        = list(string)
+}
+
+variable "api_port" {
+  description = "Port to send HTTP traffic to in API service"
+  default     = 3000
+}
+
+variable "api_health_check_path" {
+  default = "/health"
+}
+
+variable "api_cpu" {
+  description = "CPU units to provision for each API service instance (1 vCPU = 1024 CPU units) - Allowed values: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/AWS_Fargate.html#fargate-tasks-size"
+  default     = 1024
+}
+
+variable "api_memory" {
+  description = "Memory to provision for each API service instance (in MiB) - Allowed values: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/AWS_Fargate.html#fargate-tasks-size"
+  default     = 2048
+}
+
+variable "api_db_pool_size_data" {
+  description = "The maximum number of DB connection a single API server can hold for general usage."
+  type        = number
+  default     = 20
+}
+
+variable "api_db_pool_size_availability" {
+  description = "The maximum number of DB connection a single API server can hold for logging."
+  type        = number
+  default     = 10
+}
+
+variable "api_sentry_dsn" {
+  description = "The Sentry.io DSN to use for the API service"
+  default     = ""
+  sensitive   = true
+}
+
+variable "api_sentry_traces_sample_rate" {
+  description = "The sample rate for Sentry performance monitoring in the API service"
+  type        = number
+  default     = 0.01
+
+  validation {
+    condition     = var.api_sentry_traces_sample_rate >= 0.0 && var.api_sentry_traces_sample_rate <= 1.0
+    error_message = "The api_sentry_traces_sample_rate variable must be between 0 and 1."
+  }
+}
+
+variable "api_sunset_date" {
+  description = "ISO 8601 Date or Datetime when the API will be turned off."
+  default     = ""
+}
+
+variable "loader_sentry_dsn" {
+  description = "The Sentry.io DSN to use for the loaders"
+  default     = ""
+  sensitive   = true
+}
+
+variable "datadog_api_key" {
+  description = "API key for sending metrics to Datadog"
+  sensitive   = true
+}
+
+variable "njvss_aws_key_id" {
+  sensitive = true
+}
+
+variable "njvss_aws_secret_key" {
+  sensitive = true
+}
+
+variable "rite_aid_api_url" {
+  description = "The Rite Aid API URL"
+  default     = "https://api.riteaid.com/digital/Covid19-Vaccine/ProviderDetails"
+}
+
+variable "rite_aid_api_key" {
+  description = "The Rite Aid API Key"
+  sensitive   = true
+}
+
+# These AWS variables are present to clean up warnings in terraform
+variable "AWS_SECRET_ACCESS_KEY" {
+  default = ""
+}
+
+variable "AWS_ACCESS_KEY_ID" {
+  default = ""
+}