diff --git a/configuration/.terraform.lock.hcl b/configuration/.terraform.lock.hcl
new file mode 100644
index 0000000..579cec7
--- /dev/null
+++ b/configuration/.terraform.lock.hcl
@@ -0,0 +1,25 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/aws" {
+  version     = "5.67.0"
+  constraints = "~> 5.19"
+  hashes = [
+    "h1:4TotEB6Cdfagsdnt8cBM0vRDDwUaC+05qFVsHBWZrAA=",
+    "zh:1259c8106c0a3fc0ed3b3eb814ab88d6a672e678b533f47d1bbbe3107949f43e",
+    "zh:226414049afd6d334cc16ff5d6cef23683620a9b56da67a21422a113d9cce4ab",
+    "zh:3c89b103aea20ef82a84e889abaeb971cb168de8292b61b34b83e807c40085a9",
+    "zh:3dd88e994fb7d7a6c6eafd3c01393274e4f776021176acea2e980f73fbd4acbc",
+    "zh:487e0dda221c84a20a143904c1cee4e63fce6c5c57c21368ea79beee87b108da",
+    "zh:7693bdcec8181aafcbda2c41c35b1386997e2c92b6f011df058009e4c8b300e1",
+    "zh:82679536250420f9e8e6edfd0fa9a1bab99a7f31fe5f049ac7a2e0d8c287b56f",
+    "zh:8685218dae921740083820c52afa66cdf14cf130539da1efd7d9a78bfb6ade64",
+    "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
+    "zh:9e553a3ec05eedea779d393447fc316689ba6c4d4d8d569b986898e6dbe58fee",
+    "zh:a36c24acd3c75bac8211fefde58c459778021eb871ff8339be1c26ad8fd67ee1",
+    "zh:ce48bd1e35d6f996f1a09d8f99e8084469b7fec5611e67a50a63e96375b87ebe",
+    "zh:d6c76a24205513725269e4783da14be9648e9086fb621496052f4b37d52d785e",
+    "zh:d95a31745affb178ea48fa8e0be94691a8f7507ea55c0d0a4b6e0a8ef6fcb929",
+    "zh:f061ce59fac1bc425c1092e6647ed4bb1b61824416041b46dbf336e01a63ad89",
+  ]
+}
diff --git a/configuration/main.tf b/configuration/main.tf
new file mode 100644
index 0000000..bffd209
--- /dev/null
+++ b/configuration/main.tf
@@ -0,0 +1,35 @@
+terraform {
+  backend "s3" {
+    key    = "infrastructure_configuration.tfstate"
+  }
+
+  required_providers {
+    aws = "~> 5.19"
+  }
+  required_version = ">= 1.3.0"
+}
+
+provider "aws" {
+  default_tags {
+    tags = local.tags
+  }
+}
+
+locals {
+#  environment   = module.core.outputs.stack.environment
+  namespace     = module.core.outputs.stack.namespace
+  prefix        = module.core.outputs.stack.prefix
+  tags          = merge(
+    module.core.outputs.stack.tags, 
+    {
+      Component   = "configuration",
+      Git         = "github.com/nulib/infrastructure"
+      Project     = "Infrastructure"
+    }
+  )
+}
+
+module "core" {
+  source    = "../modules/remote_state"
+  component = "core"
+}
diff --git a/configuration/secrets.tf b/configuration/secrets.tf
new file mode 100644
index 0000000..a38f22a
--- /dev/null
+++ b/configuration/secrets.tf
@@ -0,0 +1,11 @@
+resource "aws_secretsmanager_secret" "data_services" {
+  for_each    = var.secrets
+  name        = "${local.prefix}/infrastructure/${each.key}"
+  description = "${each.key} secrets for ${local.namespace}"
+}
+
+resource "aws_secretsmanager_secret_version" "config_secrets" {
+  for_each      = var.secrets
+  secret_id     = aws_secretsmanager_secret.data_services[each.key].id
+  secret_string = jsonencode(each.value)
+}
diff --git a/configuration/variables.tf b/configuration/variables.tf
new file mode 100644
index 0000000..b55eee7
--- /dev/null
+++ b/configuration/variables.tf
@@ -0,0 +1,3 @@
+variable "secrets" {
+  type = map(any)
+}
diff --git a/core/secrets.tf b/core/secrets.tf
new file mode 100644
index 0000000..7e6b55b
--- /dev/null
+++ b/core/secrets.tf
@@ -0,0 +1,20 @@
+locals {
+  secrets = {
+    wildcard_cert = {
+      domain            = aws_acm_certificate.wildcard_cert.domain_name
+      certificate_arn   = aws_acm_certificate.wildcard_cert.arn
+    }
+  }
+}
+
+resource "aws_secretsmanager_secret" "data_services" {
+  for_each    = local.secrets
+  name        = "${terraform.workspace}/infrastructure/${each.key}"
+  description = "${each.key} secrets for ${terraform.workspace}"
+}
+
+resource "aws_secretsmanager_secret_version" "config_secrets" {
+  for_each      = local.secrets
+  secret_id     = aws_secretsmanager_secret.data_services[each.key].id
+  secret_string = jsonencode(each.value)
+}
diff --git a/fcrepo/secrets.tf b/fcrepo/secrets.tf
index 3e7a575..9e03585 100644
--- a/fcrepo/secrets.tf
+++ b/fcrepo/secrets.tf
@@ -1,7 +1,7 @@
 locals {
   secrets = {
     fcrepo = {
-      endpoint = "http://${aws_service_discovery_service.fcrepo.name}.${module.core.outputs.vpc.service_discovery_dns_zone.name}:8080/rest"
+      endpoint = "http://${aws_service_discovery_service.fcrepo.name}.${module.core.outputs.vpc.service_discovery_dns_zone.name}:8080/rest/"
     }
   }
 }
diff --git a/iiif-server/template.yaml b/iiif-server/template.yaml
index 77629f2..17febb5 100644
--- a/iiif-server/template.yaml
+++ b/iiif-server/template.yaml
@@ -112,6 +112,7 @@ Resources:
     Type: AWS::SecretsManager::Secret
     Properties:
       Name: !Sub "${Namespace}/infrastructure/iiif"
+      Description: !Sub "iiif secrets for ${Namespace}"
       SecretString:
         Fn::ToJsonString:
           base: !Sub "https://${Hostname}.${DomainName}/"