diff --git a/tofu/config/development/infra/.terraform.lock.hcl b/tofu/config/development/infra/.terraform.lock.hcl
index 5459de0..d7db748 100644
--- a/tofu/config/development/infra/.terraform.lock.hcl
+++ b/tofu/config/development/infra/.terraform.lock.hcl
@@ -2,20 +2,20 @@
 # Manual edits may be lost in future updates.
 
 provider "registry.opentofu.org/hashicorp/aws" {
-  version     = "5.99.1"
-  constraints = ">= 3.29.0, >= 3.74.0, >= 4.15.1, >= 4.37.0, >= 5.0.0, >= 5.44.0, >= 5.79.0, >= 5.83.0, >= 5.93.0, ~> 5.93"
+  version     = "5.100.0"
+  constraints = ">= 3.29.0, >= 3.74.0, >= 4.15.1, >= 4.37.0, >= 5.0.0, >= 5.44.0, >= 5.79.0, >= 5.83.0, >= 5.91.0, >= 5.92.0, >= 5.93.0, ~> 5.93, >= 5.99.0"
   hashes = [
-    "h1:0jNckFqimGrHhRB88880ovIpmoE20xhjRb94GBdgjwo=",
-    "zh:13a07422f776dd97214dfa89d6a88340b99613cbb869013c756c1a68fd8cdd9d",
-    "zh:1841d422278afa25d42a8d3ea9197ad08cf092769bd2aa89056d25d4c2629df8",
-    "zh:269016c7ba09d76e42fbcf15de28f2de0595ff9a7304a0500011a4493d7a1551",
-    "zh:2b842c3d0f30e048c05a37752b9c07d316656f3caf79841d08a4f1b057555eb2",
-    "zh:6559eedc095f70a51460dc702613a9033734ba536c1de1ed86a735a3c8131e40",
-    "zh:6d43b2676630344db3a7d6ba8330d20993492168f124e19e040a0aa914ec832e",
-    "zh:7f5d5cb0c1a492080b668f456de50f5b91fc67018c05f12483added3faf703f6",
-    "zh:c3bb8094bf26565150229f1ca6014d41d1283b8a2b06a15b45cd5a6b4ce82e28",
-    "zh:e45bc994d0c6e1c0a0b70e8378f2f933e924f05c91061ed2a97ceaf282e08a25",
-    "zh:ee725d6fbc1dbaa5017e9eab6fa0aa7e107a4ed73a4a8e2acab6b5d3d54cd0e4",
+    "h1:BrNG7eFOdRrRRbHdvrTjMJ8X8Oh/tiegURiKf7J2db8=",
+    "zh:1a41f3ee26720fee7a9a0a361890632a1701b5dc1cf5355dc651ddbe115682ff",
+    "zh:30457f36690c19307921885cc5e72b9dbeba369445815903acd5c39ac0e41e7a",
+    "zh:42c22674d5f23f6309eaf3ac3a4f1f8b66b566c1efe1dcb0dd2fb30c17ce1f78",
+    "zh:4cc271c795ff8ce6479ec2d11a8ba65a0a9ed6331def6693f4b9dccb6e662838",
+    "zh:60932aa376bb8c87cd1971240063d9d38ba6a55502c867fdbb9f5361dc93d003",
+    "zh:864e42784bde77b18393ebfcc0104cea9123da5f4392e8a059789e296952eefa",
+    "zh:9750423138bb01ecaa5cec1a6691664f7783d301fb1628d3b64a231b6b564e0e",
+    "zh:e5d30c4dec271ef9d6fe09f48237ec6cfea1036848f835b4e47f274b48bda5a7",
+    "zh:e62bd314ae97b43d782e0841b13e68a3f8ec85cc762004f973ce5ce7b6cdbfd0",
+    "zh:ea851a3c072528a4445ac6236ba2ce58ffc99ec466019b0bd0e4adde63a248e4",
   ]
 }
 
diff --git a/tofu/config/development/infra/main.tf b/tofu/config/development/infra/main.tf
index ba4976f..0e0e2c7 100644
--- a/tofu/config/development/infra/main.tf
+++ b/tofu/config/development/infra/main.tf
@@ -66,9 +66,13 @@ module "app" {
   )
 
   # If we're using one of our shared domain, put the application under a
-  # subdomain of its own.
-  subdomain = try(each.value.domain, null) != null ? null : each.key
+  # subdomain of its own unless the subdomain is explicitly set.
+  subdomain = try(
+    each.value.subdomain,
+    try(each.value.domain, null) != null ? null : each.key
+  )
 
+  logging_bucket  = module.logging.bucket
   logging_key_arn = module.logging.kms_key_arn
   vpc_id          = module.vpc.vpc_id
   private_subnets = module.vpc.private_subnets
diff --git a/tofu/modules/app/local.tf b/tofu/modules/app/local.tf
index deec250..7beb0fe 100644
--- a/tofu/modules/app/local.tf
+++ b/tofu/modules/app/local.tf
@@ -3,7 +3,7 @@ locals {
     for lambda in data.aws_lambda_functions.all.function_names :
     lambda if length(regexall("^DatadogIntegration-ForwarderStack-", lambda)) > 0
   ]
-  domain_prefix = "${var.subdomain == null ? "" : ".${var.subdomain}"}${local.production ? "" : ".${var.environment}"}"
+  domain_prefix = var.subdomain == null ? "" : var.subdomain
   log_groups = setunion(
     data.aws_cloudwatch_log_groups.ecs.log_group_names,
     data.aws_cloudwatch_log_groups.ecs_insights.log_group_names,
diff --git a/tofu/modules/app/main.tf b/tofu/modules/app/main.tf
index 0970183..6166a8c 100644
--- a/tofu/modules/app/main.tf
+++ b/tofu/modules/app/main.tf
@@ -1,5 +1,5 @@
 module "secrets" {
-  source = "github.com/codeforamerica/tofu-modules-aws-secrets?ref=1.0.0"
+  source = "github.com/codeforamerica/tofu-modules-aws-secrets?ref=secret-name"
 
   project     = var.project
   environment = var.environment
@@ -33,9 +33,14 @@ module "service" {
   service_short      = try(each.value.short_name, each.key)
   desired_containers = try(each.value.desired_containers, local.production ? 2 : 1)
   health_check_path  = try(each.value.health_check_path, "/health")
+  logging_bucket     = var.logging_bucket
 
-  domain    = var.domain
-  subdomain = "${try(each.value.subdomain, "www")}${local.domain_prefix}"
+  domain            = var.domain
+  subdomain         = join(".", compact([try(each.value.subdomain, null), local.domain_prefix]))
+  create_repository = try(each.value.image, null) == null
+  image_url         = try(each.value.image, "")
+  repository_arn    = try(each.value.repository_arn, null)
+  image_tag         = try(each.value.image_tag, "latest")
   force_delete      = !local.production
   oidc_settings     = local.oidc_settings
 
diff --git a/tofu/modules/app/variables.tf b/tofu/modules/app/variables.tf
index a0feda7..a687247 100644
--- a/tofu/modules/app/variables.tf
+++ b/tofu/modules/app/variables.tf
@@ -26,6 +26,11 @@ variable "internal" {
   default     = true
 }
 
+variable "logging_bucket" {
+  description = "The S3 bucket used for logging."
+  type        = string
+}
+
 variable "logging_key_arn" {
   description = "The ARN of the KMS key used for logging."
   type        = string