diff --git a/.github/workflows/cicd-3-deploy.yaml b/.github/workflows/cicd-3-deploy.yaml
index a04aa0a10..2c57a64c1 100644
--- a/.github/workflows/cicd-3-deploy.yaml
+++ b/.github/workflows/cicd-3-deploy.yaml
@@ -79,7 +79,8 @@ jobs:
   deploy:
     name: "Deploy to an environment"
     runs-on: ubuntu-latest
-    needs: [ metadata ]
+    needs: [metadata]
+    environment: ${{ inputs.environment }}
     timeout-minutes: 10
     permissions:
       id-token: write
@@ -93,7 +94,21 @@ jobs:
       - name: "Set up Python"
         uses: actions/setup-python@v5
         with:
-          python-version: '3.13'
+          python-version: "3.13"
+
+      - name: "Checkout Repository"
+        uses: actions/checkout@v4
+
+      - name: "Build lambda artefact"
+        run: |
+          make dependencies install-python
+          make build
+
+      - name: "Upload lambda artefact"
+        uses: actions/upload-artifact@v4
+        with:
+          name: lambda
+          path: dist/lambda.zip
 
       - name: "Download Built Lambdas"
         uses: actions/download-artifact@v4
@@ -118,10 +133,10 @@ jobs:
         # just planning for now for safety and until review
         run: |
           mkdir -p ./build
-          echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=networking tf-command=plan"
-          make terraform env=$ENVIRONMENT stack=networking tf-command=plan workspace=$WORKSPACE
-          echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=api-layer tf-command=plan"
-          make terraform env=$ENVIRONMENT stack=api-layer tf-command=plan workspace=$WORKSPACE
+          echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=networking tf-command=apply"
+          make terraform env=$ENVIRONMENT stack=networking tf-command=apply workspace=$WORKSPACE
+          echo "Running: make terraform env=$ENVIRONMENT workspace=$WORKSPACE stack=api-layer tf-command=apply"
+          make terraform env=$ENVIRONMENT stack=api-layer tf-command=apply workspace=$WORKSPACE
         working-directory: ./infrastructure
 
       - name: "Tag the deployment using incremental semantic versioning"
@@ -168,8 +183,7 @@ jobs:
           body: |
             Auto-release created during deployment.
           draft: false
-          prerelease: ${{ inputs.environment == 'ref' }}
-
+          prerelease: ${{ inputs.environment == 'preprod' }}
 
   # TODO: complete notify step
   # success:
diff --git a/infrastructure/modules/api_gateway/iam.tf b/infrastructure/modules/api_gateway/iam.tf
index 5393e0066..c59937a70 100644
--- a/infrastructure/modules/api_gateway/iam.tf
+++ b/infrastructure/modules/api_gateway/iam.tf
@@ -15,19 +15,38 @@ resource "aws_iam_role" "api_gateway" {
 }
 
 data "aws_iam_policy_document" "api_gateway_logging" {
+  #checkov:skip=CKV_AWS_356: Wildcard permissions needed for global log event reads
   statement {
-    sid    = "AllowCloudWatchLogging"
+    sid    = "AllowCreateLogGroup"
+    effect = "Allow"
+    actions = [
+      "logs:CreateLogGroup"
+    ]
+    resources = [
+      "arn:aws:logs:${var.region}:${data.aws_caller_identity.current.account_id}:*"
+    ]
+  }
+  statement {
+    sid    = "AllowLogStreamAndEvents"
     effect = "Allow"
     actions = [
-      "logs:CreateLogGroup",
       "logs:CreateLogStream",
+      "logs:PutLogEvents"
+    ]
+    resources = [
+      "arn:aws:logs:${var.region}:${data.aws_caller_identity.current.account_id}:log-group:/aws/apigateway/*"
+    ]
+  }
+  statement {
+    sid    = "AllowDescribeAndGet"
+    effect = "Allow"
+    actions = [
       "logs:DescribeLogGroups",
       "logs:DescribeLogStreams",
-      "logs:PutLogEvents",
       "logs:GetLogEvents",
       "logs:FilterLogEvents"
     ]
-    resources = [aws_cloudwatch_log_group.api_gateway.arn]
+    resources = ["*"]
   }
 }
 
diff --git a/infrastructure/stacks/api-layer/api_gateway.tf b/infrastructure/stacks/api-layer/api_gateway.tf
index 0c5691196..745210a25 100644
--- a/infrastructure/stacks/api-layer/api_gateway.tf
+++ b/infrastructure/stacks/api-layer/api_gateway.tf
@@ -99,6 +99,14 @@ resource "aws_api_gateway_domain_name" "check_eligibility" {
   lifecycle {
     create_before_destroy = true
   }
+
+  depends_on = [
+    aws_s3_object.pem_file,
+    data.aws_acm_certificate.imported_cert,
+    data.aws_acm_certificate.validation_cert,
+    module.s3_truststore_bucket,
+    module.eligibility_signposting_api_gateway
+  ]
 }
 
 resource "aws_api_gateway_base_path_mapping" "eligibility-signposting-api" {
diff --git a/infrastructure/stacks/api-layer/data.tf b/infrastructure/stacks/api-layer/data.tf
index ae018e6b6..f4dfb5827 100644
--- a/infrastructure/stacks/api-layer/data.tf
+++ b/infrastructure/stacks/api-layer/data.tf
@@ -16,7 +16,7 @@ data "aws_acm_certificate" "validation_cert" {
 }
 
 data "aws_kms_alias" "networking_ssm_key" {
-  name = "alias/dev-Networking-ssm-parameters"
+  name = "alias/${var.environment}-Networking-ssm-parameters"
 }
 
 data "aws_ssm_parameter" "mtls_api_client_cert" {