diff --git a/_shared/ravion_cert_groups/data.tf b/_shared/ravion_cert_groups/data.tf
new file mode 100644
index 0000000..3af5db2
--- /dev/null
+++ b/_shared/ravion_cert_groups/data.tf
@@ -0,0 +1,36 @@
+################################################################################
+# Per-cert-group DnsProvider resolution.
+#
+# `customer` groups carry their own provider on the row (id or
+# given_id; id wins). Non-customer kinds (`ravion_auto`) fall back to
+# the cluster's provider (var.ravion_dns_provider_id) so the data
+# source still resolves to a usable variant for downstream variant
+# dispatch (route53_ravion / route53 / cloudflare).
+################################################################################
+
+# Only iterates over groups that need their OWN DnsProvider row.
+# `ravion_auto` skips this lookup — it uses data.platform_apex below.
+# `inherit` (leaf-mode) skips too — its provider comes from
+# var.cluster_groups[group.parent_group_name].dns_provider_id.
+# `external` skips entirely — no provider row by definition.
+data "ravion_dns_provider" "groups" {
+  for_each = {
+    for g in var.cert_groups : g.name => g
+    if g.kind == "customer"
+  }
+
+  id = coalesce(each.value.dns_provider_id, "") != "" ? each.value.dns_provider_id : null
+  given_id = (
+    coalesce(each.value.dns_provider_id, "") == ""
+    ? each.value.dns_provider_given_id
+    : null
+  )
+}
+
+# Parent mode + kind=ravion_auto looks up the platform-apex DnsProvider
+# so the wildcard is allocated under the right zone. Count-gated so
+# leaf-mode + non-ravion_auto parent groups don't pay the lookup.
+data "ravion_dns_provider" "platform_apex" {
+  count    = var.mode == "parent" && length([for g in var.cert_groups : g if g.kind == "ravion_auto"]) > 0 ? 1 : 0
+  given_id = var.platform_apex_provider_given_id
+}
diff --git a/_shared/ravion_cert_groups/main.tf b/_shared/ravion_cert_groups/main.tf
new file mode 100644
index 0000000..f36121a
--- /dev/null
+++ b/_shared/ravion_cert_groups/main.tf
@@ -0,0 +1,587 @@
+################################################################################
+# Ravion cert-groups shared child module — dispatch by kind.
+#
+#   ravion_auto — Inherit cluster wildcard cert (no own ACM cert). Each
+#     domain in `domains` becomes `<label>-<hash>.<cluster-fqdn>` under
+#     var.ravion_parent_domain_allocation_id. Empty `domains` → ONE
+#     auto-allocation `<module_instance_given_id>-<random>.<cluster-fqdn>`
+#     (zero typing). Host-header rule per FQDN routed to var.target_group_arn.
+#
+#   customer — Operator's own DnsProvider on the row. Each domain is a
+#     full FQDN posted via fqdn_override. The group issues its OWN ACM
+#     cert covering all FQDNs, writes validation + routing records via
+#     the provider variant (route53_ravion / route53 / cloudflare),
+#     SNI-attaches the cert to var.listener_arn, and adds host-header
+#     rules.
+#
+#   external — Customer owns BOTH DNS and TLS material end-to-end.
+#     Ravion records the FQDN (so it shows on the Domains tab) and
+#     wires a host-header listener rule, but writes ZERO DNS records
+#     and provisions ZERO ACM cert. Customer's reverse-proxy / Cloudflare
+#     Tunnel / etc. is responsible for terminating TLS and pointing at
+#     var.routing_target_dns_name. Resolves the synthetic per-org
+#     EXTERNAL DnsProvider (looked up via data source by provider_type).
+#
+# Listener-rule priorities use a 32-bit sha256-derived bucket index
+# modulo 49000 (ALB priority range 1000..50000). Per-kind seed prefix
+# prevents collisions across kinds within the same listener.
+################################################################################
+
+locals {
+  has_listener     = var.listener_arn != null && var.listener_arn != ""
+  has_target_group = var.target_group_arn != null && var.target_group_arn != ""
+  cluster_managed  = var.ravion_parent_domain_allocation_id != null && var.ravion_parent_domain_allocation_id != ""
+  leaf_mode        = var.mode == "leaf"
+}
+
+################################################################################
+# 1. inherit groups — leaf labels under a chosen cluster
+#    parent group (issued by the upstream cluster's parent-mode block).
+#    No own cert; inherits the cluster wildcard via SNI.
+#
+# Domain semantics:
+#   non-empty `domains` — each entry is a leaf label; allocation is
+#                         `<label>-<hash>.<cluster.wildcard_fqdn>`.
+#   empty `domains`     — ONE zero-typing auto-allocation using
+#                         module_instance_given_id as the slug.
+################################################################################
+
+locals {
+  inherit_groups = local.leaf_mode ? {
+    for g in var.cert_groups :
+    g.name => g if g.kind == "inherit" && contains(keys(var.cluster_groups), coalesce(g.parent_group_name, ""))
+  } : {}
+
+  inherit_label_pairs = merge([
+    for g_name, g in local.inherit_groups : {
+      for d in g.domains : "${g_name}/${d}" => {
+        group_name        = g_name
+        slug              = d
+        parent_group_name = g.parent_group_name
+      }
+    }
+  ]...)
+
+  inherit_auto_groups = {
+    for g_name, g in local.inherit_groups :
+    g_name => g
+    if length(g.domains) == 0
+    && var.module_instance_given_id != null
+    && var.module_instance_given_id != ""
+  }
+
+  cw_label_priority = {
+    for k, _v in local.inherit_label_pairs :
+    k => (parseint(substr(sha256("cw:${var.name}:${k}"), 0, 8), 16) % 49000) + 1000
+  }
+  cw_auto_priority = {
+    for g_name, _v in local.inherit_auto_groups :
+    g_name => (parseint(substr(sha256("cw:auto:${var.name}:${g_name}"), 0, 8), 16) % 49000) + 1000
+  }
+}
+
+# 1a. Per-leaf allocation, nested under the chosen cluster parent group.
+resource "ravion_domain" "inherit_label" {
+  for_each = local.inherit_label_pairs
+
+  dns_provider_id             = var.cluster_groups[each.value.parent_group_name].dns_provider_id
+  slug                        = each.value.slug
+  parent_domain_allocation_id = var.cluster_groups[each.value.parent_group_name].parent_allocation_id
+}
+
+# 1b. Zero-typing auto allocation per group when `domains` is empty.
+resource "ravion_domain" "inherit_auto" {
+  for_each = local.inherit_auto_groups
+
+  dns_provider_id             = var.cluster_groups[each.value.parent_group_name].dns_provider_id
+  slug                        = var.module_instance_given_id
+  parent_domain_allocation_id = var.cluster_groups[each.value.parent_group_name].parent_allocation_id
+}
+
+resource "aws_lb_listener_rule" "inherit_label" {
+  for_each = local.inherit_label_pairs
+
+  listener_arn = var.listener_arn
+  priority     = local.cw_label_priority[each.key]
+
+  condition {
+    host_header {
+      values = [ravion_domain.inherit_label[each.key].fqdn]
+    }
+  }
+
+  action {
+    type             = "forward"
+    target_group_arn = var.target_group_arn
+  }
+
+  lifecycle {
+    ignore_changes = [action]
+  }
+
+  tags = merge(var.tags, {
+    "ravion:cert_group" = each.value.group_name
+    "ravion:kind"       = "inherit"
+  })
+}
+
+resource "aws_lb_listener_rule" "inherit_auto" {
+  for_each = local.inherit_auto_groups
+
+  listener_arn = var.listener_arn
+  priority     = local.cw_auto_priority[each.key]
+
+  condition {
+    host_header {
+      values = [ravion_domain.inherit_auto[each.key].fqdn]
+    }
+  }
+
+  action {
+    type             = "forward"
+    target_group_arn = var.target_group_arn
+  }
+
+  lifecycle {
+    ignore_changes = [action]
+  }
+
+  tags = merge(var.tags, {
+    "ravion:cert_group" = each.key
+    "ravion:kind"       = "inherit"
+  })
+}
+
+################################################################################
+# 2. customer groups
+################################################################################
+
+locals {
+  customer_groups = local.leaf_mode ? { for g in var.cert_groups : g.name => g if g.kind == "customer" } : {}
+
+  customer_pairs = local.leaf_mode ? merge([
+    for g in var.cert_groups : {
+      for d in g.domains : "${g.name}/${d}" => {
+        group_name = g.name
+        slug       = d
+      }
+    }
+    if g.kind == "customer"
+  ]...) : {}
+
+  customer_providers = {
+    for name, _g in local.customer_groups :
+    name => data.ravion_dns_provider.groups[name]
+  }
+
+  # Non-sensitive provider kind dispatch. data.ravion_dns_provider's
+  # cloudflare.api_token is marked Sensitive; ANY value derived from
+  # the provider attribute group inherits sensitivity, which Terraform
+  # then refuses inside for_each keys + filter conditions. nonsensitive()
+  # is safe here because the string result encodes only the discriminator
+  # (no secret payload).
+  customer_provider_kind = {
+    for name, _g in local.customer_groups :
+    name => nonsensitive(
+      data.ravion_dns_provider.groups[name].route53_ravion != null ? "route53_ravion" :
+      data.ravion_dns_provider.groups[name].route53 != null ? "route53" :
+      data.ravion_dns_provider.groups[name].cloudflare != null ? "cloudflare" :
+      "external"
+    )
+  }
+
+  customer_priority_for_pair = {
+    for k, _v in local.customer_pairs :
+    k => (parseint(substr(sha256("cust:${var.name}:${k}"), 0, 8), 16) % 49000) + 1000
+  }
+}
+
+resource "ravion_domain" "customer" {
+  for_each = local.customer_pairs
+
+  dns_provider_id = local.customer_providers[each.value.group_name].id
+  fqdn_override   = each.value.slug
+}
+
+resource "aws_acm_certificate" "customer" {
+  for_each = local.customer_groups
+
+  domain_name = ravion_domain.customer["${each.key}/${each.value.domains[0]}"].fqdn
+  subject_alternative_names = [
+    for d in slice(each.value.domains, 1, length(each.value.domains)) :
+    ravion_domain.customer["${each.key}/${d}"].fqdn
+  ]
+  validation_method = "DNS"
+
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  tags = merge(var.tags, {
+    "ravion:cert_group" = each.key
+    "ravion:kind"       = "customer"
+  })
+}
+
+locals {
+  # Static (group, domain) keys — known at plan, identical to
+  # customer_pairs. The per-domain validation option is resolved
+  # inside each resource body via a list-filter on
+  # `aws_acm_certificate.customer[cert_key].domain_validation_options`
+  # so the for_each keys stay statically determinable even though the
+  # validation values land only post-cert-issuance.
+  customer_validation_pairs = local.customer_pairs
+
+  customer_validation_pairs_route53_ravion = {
+    for k, v in local.customer_validation_pairs : k => v
+    if local.customer_provider_kind[v.group_name] == "route53_ravion"
+  }
+  customer_validation_pairs_route53 = {
+    for k, v in local.customer_validation_pairs : k => v
+    if local.customer_provider_kind[v.group_name] == "route53"
+  }
+  customer_validation_pairs_cloudflare = {
+    for k, v in local.customer_validation_pairs : k => v
+    if local.customer_provider_kind[v.group_name] == "cloudflare"
+  }
+}
+
+resource "ravion_dns_records" "customer_validation_ravion" {
+  for_each = local.customer_validation_pairs_route53_ravion
+
+  managed_domain_id = ravion_domain.customer[each.key].id
+  purpose           = "acm_validation"
+  records = [
+    for opt in aws_acm_certificate.customer[each.value.group_name].domain_validation_options : {
+      name  = opt.resource_record_name
+      type  = opt.resource_record_type
+      value = opt.resource_record_value
+      ttl   = 60
+    }
+    if opt.domain_name == ravion_domain.customer[each.key].fqdn
+  ]
+}
+
+resource "aws_route53_record" "customer_validation_r53" {
+  for_each = local.customer_validation_pairs_route53
+
+  zone_id = local.customer_providers[each.value.group_name].route53.hosted_zone_id
+  name = [
+    for opt in aws_acm_certificate.customer[each.value.group_name].domain_validation_options :
+    opt.resource_record_name
+    if opt.domain_name == ravion_domain.customer[each.key].fqdn
+  ][0]
+  type = [
+    for opt in aws_acm_certificate.customer[each.value.group_name].domain_validation_options :
+    opt.resource_record_type
+    if opt.domain_name == ravion_domain.customer[each.key].fqdn
+  ][0]
+  records = [
+    for opt in aws_acm_certificate.customer[each.value.group_name].domain_validation_options :
+    opt.resource_record_value
+    if opt.domain_name == ravion_domain.customer[each.key].fqdn
+  ]
+  ttl = 60
+}
+
+resource "ravion_dns_records" "customer_validation_metadata_r53" {
+  for_each = local.customer_validation_pairs_route53
+
+  managed_domain_id = ravion_domain.customer[each.key].id
+  purpose           = "acm_validation"
+  records = [
+    for opt in aws_acm_certificate.customer[each.value.group_name].domain_validation_options : {
+      name  = opt.resource_record_name
+      type  = opt.resource_record_type
+      value = opt.resource_record_value
+      ttl   = 60
+    }
+    if opt.domain_name == ravion_domain.customer[each.key].fqdn
+  ]
+  depends_on = [aws_route53_record.customer_validation_r53]
+}
+
+# Cloudflare validation records — single SDK-backed write. The
+# api-go CloudflareWriter resolves the customer's api_token from
+# vault and calls cloudflare-go's DNS API directly.
+resource "ravion_dns_records" "customer_validation_cf" {
+  for_each = local.customer_validation_pairs_cloudflare
+
+  managed_domain_id = ravion_domain.customer[each.key].id
+  purpose           = "acm_validation"
+  records = [
+    for opt in aws_acm_certificate.customer[each.value.group_name].domain_validation_options : {
+      name  = opt.resource_record_name
+      type  = opt.resource_record_type
+      value = opt.resource_record_value
+      ttl   = 60
+    }
+    if opt.domain_name == ravion_domain.customer[each.key].fqdn
+  ]
+}
+
+resource "aws_acm_certificate_validation" "customer" {
+  for_each = local.customer_groups
+
+  certificate_arn = aws_acm_certificate.customer[each.key].arn
+  validation_record_fqdns = concat(
+    [
+      for k, v in local.customer_validation_pairs_route53_ravion : ravion_dns_records.customer_validation_ravion[k].fqdns[0]
+      if v.group_name == each.key
+    ],
+    [
+      for k, v in local.customer_validation_pairs_route53 : ravion_dns_records.customer_validation_metadata_r53[k].fqdns[0]
+      if v.group_name == each.key
+    ],
+    [
+      for k, v in local.customer_validation_pairs_cloudflare : ravion_dns_records.customer_validation_cf[k].fqdns[0]
+      if v.group_name == each.key
+    ],
+  )
+}
+
+resource "ravion_managed_certificate" "customer" {
+  for_each = local.customer_groups
+
+  cert_arn  = aws_acm_certificate_validation.customer[each.key].certificate_arn
+  status    = "ISSUED"
+  pattern   = "EXACT"
+  ownership = local.customer_provider_kind[each.key] == "route53_ravion" ? "PLATFORM" : "CUSTOMER"
+  name      = each.key
+  kind      = "customer"
+  managed_domain_ids = [
+    for d in each.value.domains :
+    ravion_domain.customer["${each.key}/${d}"].managed_domain_id
+  ]
+  issued_at  = aws_acm_certificate.customer[each.key].not_before
+  expires_at = aws_acm_certificate.customer[each.key].not_after
+}
+
+resource "aws_lb_listener_certificate" "customer" {
+  for_each = local.customer_groups
+
+  listener_arn    = var.listener_arn
+  certificate_arn = aws_acm_certificate_validation.customer[each.key].certificate_arn
+}
+
+resource "ravion_dns_records" "customer_routing_ravion" {
+  for_each = {
+    for k, v in local.customer_pairs : k => v
+    if local.customer_provider_kind[v.group_name] == "route53_ravion"
+  }
+
+  managed_domain_id = ravion_domain.customer[each.key].id
+  purpose           = "routing"
+  records = [{
+    name = ravion_domain.customer[each.key].fqdn
+    type = "ALIAS"
+    value = jsonencode({
+      dns_name = var.routing_target_dns_name
+      zone_id  = var.routing_target_zone_id
+    })
+  }]
+}
+
+resource "aws_route53_record" "customer_routing_r53" {
+  for_each = {
+    for k, v in local.customer_pairs : k => v
+    if local.customer_provider_kind[v.group_name] == "route53"
+  }
+
+  zone_id = local.customer_providers[each.value.group_name].route53.hosted_zone_id
+  name    = ravion_domain.customer[each.key].fqdn
+  type    = "A"
+
+  alias {
+    name                   = var.routing_target_dns_name
+    zone_id                = var.routing_target_zone_id
+    evaluate_target_health = true
+  }
+}
+
+resource "ravion_dns_records" "customer_routing_metadata_r53" {
+  for_each = {
+    for k, v in local.customer_pairs : k => v
+    if local.customer_provider_kind[v.group_name] == "route53"
+  }
+
+  managed_domain_id = ravion_domain.customer[each.key].id
+  purpose           = "routing"
+  records = [{
+    name = ravion_domain.customer[each.key].fqdn
+    type = "ALIAS"
+    value = jsonencode({
+      dns_name = var.routing_target_dns_name
+      zone_id  = var.routing_target_zone_id
+    })
+  }]
+  depends_on = [aws_route53_record.customer_routing_r53]
+}
+
+resource "ravion_dns_records" "customer_routing_cf" {
+  for_each = {
+    for k, v in local.customer_pairs : k => v
+    if local.customer_provider_kind[v.group_name] == "cloudflare"
+  }
+
+  managed_domain_id = ravion_domain.customer[each.key].id
+  purpose           = "routing"
+  records = [{
+    name  = ravion_domain.customer[each.key].fqdn
+    type  = "CNAME"
+    value = var.routing_target_dns_name
+    ttl   = 60
+  }]
+}
+
+resource "aws_lb_listener_rule" "customer" {
+  for_each = local.customer_pairs
+
+  listener_arn = var.listener_arn
+  priority     = local.customer_priority_for_pair[each.key]
+
+  condition {
+    host_header {
+      values = [ravion_domain.customer[each.key].fqdn]
+    }
+  }
+
+  action {
+    type             = "forward"
+    target_group_arn = var.target_group_arn
+  }
+
+  lifecycle {
+    ignore_changes = [action]
+  }
+
+  tags = merge(var.tags, {
+    "ravion:cert_group" = each.value.group_name
+    "ravion:kind"       = "customer"
+  })
+}
+
+################################################################################
+# 3. external groups — customer owns DNS + TLS end-to-end.
+#
+# Metadata-only: emit a ravion_domain row (so the FQDN appears on the
+# Domains tab) and add a host-header listener rule so the ALB routes
+# matching traffic to the target group. Ravion writes ZERO DNS records
+# and provisions ZERO ACM cert — the customer is expected to either
+# bring a wildcard already attached to the listener, terminate TLS in
+# front of the ALB themselves, or accept HTTPS errors until they
+# attach their own cert out-of-band.
+################################################################################
+
+locals {
+  external_groups = local.leaf_mode ? { for g in var.cert_groups : g.name => g if g.kind == "external" } : {}
+
+  external_pairs = local.leaf_mode ? merge([
+    for g in var.cert_groups : {
+      for d in g.domains : "${g.name}/${d}" => {
+        group_name = g.name
+        slug       = d
+      }
+    }
+    if g.kind == "external"
+  ]...) : {}
+
+  external_priority_for_pair = {
+    for k, _v in local.external_pairs :
+    k => (parseint(substr(sha256("ext:${var.name}:${k}"), 0, 8), 16) % 49000) + 1000
+  }
+
+  has_external = length(local.external_pairs) > 0
+}
+
+data "ravion_dns_provider" "external" {
+  count    = local.has_external ? 1 : 0
+  given_id = var.external_dns_provider_given_id
+}
+
+resource "ravion_domain" "external" {
+  for_each = local.external_pairs
+
+  dns_provider_id = data.ravion_dns_provider.external[0].id
+  fqdn_override   = each.value.slug
+}
+
+resource "aws_lb_listener_rule" "external" {
+  for_each = local.external_pairs
+
+  listener_arn = var.listener_arn
+  priority     = local.external_priority_for_pair[each.key]
+
+  condition {
+    host_header {
+      values = [ravion_domain.external[each.key].fqdn]
+    }
+  }
+
+  action {
+    type             = "forward"
+    target_group_arn = var.target_group_arn
+  }
+
+  lifecycle {
+    ignore_changes = [action]
+  }
+
+  tags = merge(var.tags, {
+    "ravion:cert_group" = each.value.group_name
+    "ravion:kind"       = "external"
+  })
+}
+
+# Placeholder ravion_managed_certificate per external group — anchors
+# the cert-group identity for the Domains-tab projector (one MCert
+# row IS one cert group). Ravion provisions NO ACM cert here; the
+# synthetic `external:` ARN gives the unique key its uniqueness and
+# the status stays PENDING for the row's lifetime.
+resource "ravion_managed_certificate" "external" {
+  for_each = local.external_groups
+
+  cert_arn  = "external:${var.name}:${each.key}"
+  status    = "PENDING"
+  pattern   = "EXACT"
+  ownership = "CUSTOMER"
+  name      = each.key
+  kind      = "external"
+  managed_domain_ids = [
+    for d in each.value.domains :
+    ravion_domain.external["${each.key}/${d}"].managed_domain_id
+  ]
+}
+
+################################################################################
+# 4. inherit-group placeholder certs.
+#
+# Inherit groups SNI-share the parent cluster's wildcard cert via the
+# parent_allocation chain — they don't issue their own. To anchor the
+# cert-group identity on the Domains tab (one ManagedCertificate IS
+# one cert group), we emit a placeholder ravion_managed_certificate
+# per group with a synthetic `inherit:` ARN.
+################################################################################
+
+resource "ravion_managed_certificate" "inherit" {
+  for_each = local.inherit_groups
+
+  cert_arn  = "inherit:${var.name}:${each.key}"
+  status    = "ISSUED"
+  pattern   = "WILDCARD"
+  # Inherit certs ride the parent's wildcard via SNI — mirror its
+  # ownership so the placeholder row in the Domains tab matches the
+  # real underlying cert.
+  ownership = var.cluster_groups[each.value.parent_group_name].ownership
+  name      = each.key
+  kind      = "inherit"
+  managed_domain_ids = concat(
+    [
+      for d in each.value.domains :
+      ravion_domain.inherit_label["${each.key}/${d}"].managed_domain_id
+    ],
+    contains(keys(local.inherit_auto_groups), each.key)
+    ? [ravion_domain.inherit_auto[each.key].managed_domain_id]
+    : [],
+  )
+}
diff --git a/_shared/ravion_cert_groups/outputs.tf b/_shared/ravion_cert_groups/outputs.tf
new file mode 100644
index 0000000..e8a4629
--- /dev/null
+++ b/_shared/ravion_cert_groups/outputs.tf
@@ -0,0 +1,40 @@
+output "domain_fqdns" {
+  description = "Map of `<group>/<slug>` → resolved FQDN across every cert group + kind."
+  value = merge(
+    { for k, alloc in ravion_domain.inherit_label : k => alloc.fqdn },
+    { for name, alloc in ravion_domain.inherit_auto : "${name}/auto" => alloc.fqdn },
+    { for k, alloc in ravion_domain.customer : k => alloc.fqdn },
+  )
+}
+
+output "domain_allocation_ids" {
+  description = "Map of `<group>/<slug>` → DomainAllocation id."
+  value = merge(
+    { for k, alloc in ravion_domain.inherit_label : k => alloc.id },
+    { for name, alloc in ravion_domain.inherit_auto : "${name}/auto" => alloc.id },
+    { for k, alloc in ravion_domain.customer : k => alloc.id },
+  )
+}
+
+output "customer_cert_arns" {
+  description = "Map of group name → ACM cert ARN for customer-kind groups."
+  value       = { for k, v in aws_acm_certificate_validation.customer : k => v.certificate_arn }
+}
+
+output "parent_groups" {
+  description = "Parent-mode output: map of group name → wildcard parent allocation + cert. Service modules' inherit kind looks up entries here via parent_group_name."
+  value = {
+    for name, alloc in local.parent_allocations : name => {
+      parent_allocation_id = alloc.id
+      managed_domain_id    = alloc.managed_domain_id
+      wildcard_fqdn        = alloc.fqdn
+      cert_arn             = aws_acm_certificate_validation.parent[name].certificate_arn
+      dns_provider_id      = alloc.provider.id
+      # Mirror of the parent cert's ownership (PLATFORM = Ravion apex,
+      # CUSTOMER = customer-owned zone). Leaf-mode `inherit` certs reuse
+      # this so the placeholder ManagedCertificate row has the same
+      # ownership as the cert it rides via SNI.
+      ownership = contains(keys(local.parent_groups_route53_ravion), name) ? "PLATFORM" : "CUSTOMER"
+    }
+  }
+}
diff --git a/_shared/ravion_cert_groups/parent.tf b/_shared/ravion_cert_groups/parent.tf
new file mode 100644
index 0000000..78007ec
--- /dev/null
+++ b/_shared/ravion_cert_groups/parent.tf
@@ -0,0 +1,216 @@
+################################################################################
+# Parent-mode dispatch — issues ONE wildcard cert per group.
+#
+# Only active when var.mode == "parent". The cluster module uses this
+# to create the wildcard cert(s) services nest under via cluster_inherit
+# kind. NO listener rules + NO routing records — clusters don't route,
+# they just attach the cert as SNI so the listener can serve it when a
+# service FQDN comes in.
+#
+# Wildcard FQDN derivation:
+#   kind=ravion_auto  → `<module_instance_id>-<random>.<platform_apex_domain>`
+#                        (slug = stable hash of module_instance_id; suffix random)
+#   kind=customer     → operator-typed wildcard_fqdn on the row
+################################################################################
+
+locals {
+  parent_groups = var.mode == "parent" ? {
+    for g in var.cert_groups : g.name => g
+  } : {}
+
+  parent_ravion_auto_groups = {
+    for name, g in local.parent_groups : name => g if g.kind == "ravion_auto"
+  }
+
+  parent_customer_groups = {
+    for name, g in local.parent_groups : name => g if g.kind == "customer"
+  }
+}
+
+# 1a. ravion_auto parent allocation — slug derives from module_instance_id
+# so two clusters in the same org can't collide on the auto allocation.
+resource "ravion_domain" "parent_ravion_auto" {
+  for_each = local.parent_ravion_auto_groups
+
+  dns_provider_id = data.ravion_dns_provider.platform_apex[0].id
+  slug            = var.module_instance_id
+
+  lifecycle {
+    precondition {
+      condition     = var.module_instance_id != null && var.module_instance_id != ""
+      error_message = "module_instance_id must be set when using ravion_auto parent cert groups."
+    }
+  }
+}
+
+# 1b. customer parent allocation — full FQDN typed by operator.
+resource "ravion_domain" "parent_customer" {
+  for_each = local.parent_customer_groups
+
+  dns_provider_id = data.ravion_dns_provider.groups[each.key].id
+  fqdn_override   = each.value.wildcard_fqdn
+
+  lifecycle {
+    precondition {
+      condition     = each.value.wildcard_fqdn != null && each.value.wildcard_fqdn != ""
+      error_message = "wildcard_fqdn must be set on customer parent cert groups."
+    }
+  }
+}
+
+# Unified per-group view for downstream resources — same shape whether
+# the allocation came from ravion_auto or customer.
+locals {
+  parent_allocations = merge(
+    { for name, alloc in ravion_domain.parent_ravion_auto : name => {
+      id                = alloc.id
+      managed_domain_id = alloc.managed_domain_id
+      fqdn              = alloc.fqdn
+      provider          = data.ravion_dns_provider.platform_apex[0]
+      kind              = "ravion_auto"
+    } },
+    { for name, alloc in ravion_domain.parent_customer : name => {
+      id                = alloc.id
+      managed_domain_id = alloc.managed_domain_id
+      fqdn              = alloc.fqdn
+      provider          = data.ravion_dns_provider.groups[name]
+      kind              = "customer"
+    } },
+  )
+}
+
+# 2. ONE wildcard ACM cert per parent group.
+resource "aws_acm_certificate" "parent" {
+  for_each = local.parent_allocations
+
+  domain_name       = "*.${each.value.fqdn}"
+  validation_method = "DNS"
+
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  tags = merge(var.tags, {
+    "ravion:cert_group" = each.key
+    "ravion:kind"       = "parent_wildcard"
+  })
+}
+
+# 3. Per-group variant subsets. Keys are group names (KNOWN at plan
+# time); values include the cert (needed for domain_validation_options
+# which is only known after apply). Iterating these maps means TF can
+# plan the resource set without resolving the cert's validation list.
+locals {
+  # Non-sensitive kind dispatch — see customer_provider_kind in main.tf
+  # for the rationale (data.ravion_dns_provider.cloudflare.api_token is
+  # marked Sensitive and would taint for_each filters).
+  parent_provider_kind = {
+    for name, alloc in local.parent_allocations :
+    name => nonsensitive(
+      alloc.provider.route53_ravion != null ? "route53_ravion" :
+      alloc.provider.route53 != null ? "route53" :
+      alloc.provider.cloudflare != null ? "cloudflare" :
+      "external"
+    )
+  }
+
+  parent_groups_route53_ravion = {
+    for name, alloc in local.parent_allocations : name => alloc
+    if local.parent_provider_kind[name] == "route53_ravion"
+  }
+  parent_groups_route53 = {
+    for name, alloc in local.parent_allocations : name => alloc
+    if local.parent_provider_kind[name] == "route53"
+  }
+  parent_groups_cloudflare = {
+    for name, alloc in local.parent_allocations : name => alloc
+    if local.parent_provider_kind[name] == "cloudflare"
+  }
+}
+
+# 4a. ROUTE53_RAVION validation — Ravion writes the record inline.
+# Wildcard parent certs have one validation per cert; we grab [0].
+resource "ravion_dns_records" "parent_validation_ravion" {
+  for_each = local.parent_groups_route53_ravion
+
+  managed_domain_id = each.value.id
+  purpose           = "acm_validation"
+  records = [{
+    name  = tolist(aws_acm_certificate.parent[each.key].domain_validation_options)[0].resource_record_name
+    type  = tolist(aws_acm_certificate.parent[each.key].domain_validation_options)[0].resource_record_type
+    value = tolist(aws_acm_certificate.parent[each.key].domain_validation_options)[0].resource_record_value
+    ttl   = 60
+  }]
+}
+
+# 4b. ROUTE53 customer validation.
+resource "aws_route53_record" "parent_validation_r53" {
+  for_each = local.parent_groups_route53
+
+  zone_id = each.value.provider.route53.hosted_zone_id
+  name    = tolist(aws_acm_certificate.parent[each.key].domain_validation_options)[0].resource_record_name
+  type    = tolist(aws_acm_certificate.parent[each.key].domain_validation_options)[0].resource_record_type
+  records = [tolist(aws_acm_certificate.parent[each.key].domain_validation_options)[0].resource_record_value]
+  ttl     = 60
+}
+
+resource "ravion_dns_records" "parent_validation_metadata_r53" {
+  for_each = local.parent_groups_route53
+
+  managed_domain_id = each.value.id
+  purpose           = "acm_validation"
+  records = [{
+    name  = tolist(aws_acm_certificate.parent[each.key].domain_validation_options)[0].resource_record_name
+    type  = tolist(aws_acm_certificate.parent[each.key].domain_validation_options)[0].resource_record_type
+    value = tolist(aws_acm_certificate.parent[each.key].domain_validation_options)[0].resource_record_value
+    ttl   = 60
+  }]
+  depends_on = [aws_route53_record.parent_validation_r53]
+}
+
+# 4c. CLOUDFLARE validation — single SDK-backed write via the api-go
+# CloudflareWriter (cloudflare-go/v6, token from vault per call).
+resource "ravion_dns_records" "parent_validation_cf" {
+  for_each = local.parent_groups_cloudflare
+
+  managed_domain_id = each.value.id
+  purpose           = "acm_validation"
+  records = [{
+    name  = tolist(aws_acm_certificate.parent[each.key].domain_validation_options)[0].resource_record_name
+    type  = tolist(aws_acm_certificate.parent[each.key].domain_validation_options)[0].resource_record_type
+    value = tolist(aws_acm_certificate.parent[each.key].domain_validation_options)[0].resource_record_value
+    ttl   = 60
+  }]
+}
+
+# 5. Cert validation — waits for the right writer per variant.
+resource "aws_acm_certificate_validation" "parent" {
+  for_each = local.parent_allocations
+
+  certificate_arn = aws_acm_certificate.parent[each.key].arn
+  validation_record_fqdns = concat(
+    contains(keys(local.parent_groups_route53_ravion), each.key) ? [ravion_dns_records.parent_validation_ravion[each.key].fqdns[0]] : [],
+    contains(keys(local.parent_groups_route53), each.key) ? [ravion_dns_records.parent_validation_metadata_r53[each.key].fqdns[0]] : [],
+    contains(keys(local.parent_groups_cloudflare), each.key) ? [ravion_dns_records.parent_validation_cf[each.key].fqdns[0]] : [],
+  )
+}
+
+# 6. Register cert metadata at Ravion.
+resource "ravion_managed_certificate" "parent" {
+  for_each = local.parent_allocations
+
+  cert_arn           = aws_acm_certificate_validation.parent[each.key].certificate_arn
+  status             = "ISSUED"
+  pattern            = "WILDCARD"
+  ownership          = contains(keys(local.parent_groups_route53_ravion), each.key) ? "PLATFORM" : "CUSTOMER"
+  name               = each.key
+  kind               = each.value.kind
+  managed_domain_ids = [each.value.managed_domain_id]
+  issued_at          = aws_acm_certificate.parent[each.key].not_before
+  expires_at         = aws_acm_certificate.parent[each.key].not_after
+}
+
+# SNI cert attachment is the PARENT MODULE's responsibility (cluster
+# threads the ARN through its ALB child module's certificate_arns list
+# so the cert can serve as default OR SNI without double-attach). The
+# `parent_groups` output below exposes the ARN for that consumer.
diff --git a/_shared/ravion_cert_groups/variables.tf b/_shared/ravion_cert_groups/variables.tf
new file mode 100644
index 0000000..fde5037
--- /dev/null
+++ b/_shared/ravion_cert_groups/variables.tf
@@ -0,0 +1,120 @@
+################################################################################
+# Inputs for the shared cert-groups child module.
+#
+# Parent modules (compute/ecs_cluster, compute/ecs_service, future
+# hosting/static_site) instantiate this with their own var.cert_groups
+# and a routing-target description. The shared module owns ALL the
+# allocation / cert / DNS-record / listener-rule resources.
+################################################################################
+
+variable "name" {
+  type        = string
+  description = "Stable prefix used in tags and listener-rule priority hashing. Pass the parent module's `var.name` so two parents in the same cluster don't collide."
+}
+
+variable "mode" {
+  type        = string
+  description = "Dispatch mode. `leaf` (default) = per-FQDN allocations under a parent (used by ecs_service). `parent` = ONE wildcard cert + parent allocation per group (used by ecs_cluster) for services to nest under."
+  default     = "leaf"
+
+  validation {
+    condition     = contains(["leaf", "parent"], var.mode)
+    error_message = "mode must be `leaf` or `parent`."
+  }
+}
+
+variable "cert_groups" {
+  type = list(object({
+    name                  = string
+    kind                  = string
+    dns_provider_id       = optional(string)
+    dns_provider_given_id = optional(string)
+    domains               = list(string)
+    wildcard_fqdn         = optional(string)
+    parent_group_name     = optional(string)
+  }))
+  description = "Operator-facing cert-group rows. Field semantics depend on `var.mode`. Leaf mode kinds: `inherit` (leaf labels nested under a chosen cluster parent group), `customer` (per-FQDN cert under row's DnsProvider). Parent mode kinds: `ravion_auto` (auto-derived wildcard under platform apex), `customer` (wildcard at row's wildcard_fqdn)."
+  default     = []
+}
+
+variable "cluster_groups" {
+  type = map(object({
+    parent_allocation_id = string
+    managed_domain_id    = string
+    wildcard_fqdn        = string
+    cert_arn             = string
+    dns_provider_id      = string
+    # `PLATFORM` | `CUSTOMER` — mirror of the parent cert's ownership
+    # so leaf-mode `inherit` placeholder certs match the cert they
+    # ride via SNI.
+    ownership = string
+  }))
+  description = "Upstream cluster's parent-mode output (`module.ravion_cert_groups.parent_groups` from the cluster). Leaf-mode `inherit` cert groups look up their parent here via parent_group_name. Empty for cluster-only callers."
+  default     = {}
+}
+
+variable "module_instance_given_id" {
+  type        = string
+  description = "Parent module-instance given_id. Used by `ravion_auto` groups with empty `domains` as the slug for the zero-typing auto-allocation."
+  default     = null
+}
+
+variable "ravion_parent_domain_allocation_id" {
+  type        = string
+  description = "Cluster's parent DomainAllocation id. `ravion_auto` groups nest their allocations under this. Null = ravion_auto disabled."
+  default     = null
+}
+
+variable "ravion_dns_provider_id" {
+  type        = string
+  description = "Cluster's DnsProvider id. Used by `ravion_auto` group allocations. Null = ravion_auto disabled (precondition fires)."
+  default     = null
+}
+
+variable "routing_target_dns_name" {
+  type        = string
+  description = "Routing-target DNS name for customer-group routing records. ALB DNS for ECS, distribution domain for CloudFront."
+  default     = null
+}
+
+variable "routing_target_zone_id" {
+  type        = string
+  description = "Routing-target hosted-zone id (ELBv2-provided for ALB, empty for CloudFront). Used by Route53 ALIAS routing records."
+  default     = null
+}
+
+variable "listener_arn" {
+  type        = string
+  description = "HTTPS listener ARN to attach customer-group SNI certs to + write host-header rules on. Null when the parent has no listener (e.g. cluster-only usage with no rules)."
+  default     = null
+}
+
+variable "target_group_arn" {
+  type        = string
+  description = "Target group ARN that host-header rules forward to. Null when there is no service to route to (e.g. cluster-level cert-only usage)."
+  default     = null
+}
+
+variable "tags" {
+  type        = map(string)
+  description = "Extra tags merged onto every taggable resource the module creates."
+  default     = {}
+}
+
+variable "platform_apex_provider_given_id" {
+  type        = string
+  description = "DnsProvider given_id of the Ravion-managed platform apex. Used by parent mode + `ravion_auto` kind to look up the apex zone the cluster wildcard is allocated under."
+  default     = "ravion-platform-apex"
+}
+
+variable "module_instance_id" {
+  type        = string
+  description = "Parent module-instance id. Used in parent mode to derive a stable random suffix for the auto-generated wildcard FQDN slug."
+  default     = null
+}
+
+variable "external_dns_provider_given_id" {
+  type        = string
+  description = "Per-org stable identifier of the singleton EXTERNAL DnsProvider used by `external` cert groups. The customer creates this once per org via POST /v1/dns-providers with providerType=EXTERNAL. Default `external` matches the seed identifier."
+  default     = "external"
+}
diff --git a/_shared/ravion_cert_groups/versions.tf b/_shared/ravion_cert_groups/versions.tf
new file mode 100644
index 0000000..18f9c42
--- /dev/null
+++ b/_shared/ravion_cert_groups/versions.tf
@@ -0,0 +1,14 @@
+terraform {
+  required_version = ">= 1.10.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 6.0"
+    }
+    ravion = {
+      source  = "ravion.com/ravion/domains"
+      version = ">= 2.0.0"
+    }
+  }
+}
diff --git a/compute/autoscaling/.terraform.lock.hcl b/compute/autoscaling/.terraform.lock.hcl
deleted file mode 100644
index 0259651..0000000
--- a/compute/autoscaling/.terraform.lock.hcl
+++ /dev/null
@@ -1,25 +0,0 @@
-# This file is maintained automatically by "terraform init".
-# Manual edits may be lost in future updates.
-
-provider "registry.terraform.io/hashicorp/aws" {
-  version     = "6.28.0"
-  constraints = ">= 5.0.0"
-  hashes = [
-    "h1:RwoFuX1yGMVaKJaUmXDKklEaQ/yUCEdt5k2kz+/g08c=",
-    "zh:0ba0d5eb6e0c6a933eb2befe3cdbf22b58fbc0337bf138f95bf0e8bb6e6df93e",
-    "zh:23eacdd4e6db32cf0ff2ce189461bdbb62e46513978d33c5de4decc4670870ec",
-    "zh:307b06a15fc00a8e6fd243abde2cbe5112e9d40371542665b91bec1018dd6e3c",
-    "zh:37a02d5b45a9d050b9642c9e2e268297254192280df72f6e46641daca52e40ec",
-    "zh:3da866639f07d92e734557d673092719c33ede80f4276c835bf7f231a669aa33",
-    "zh:480060b0ba310d0f6b6a14d60b276698cb103c48fd2f7e2802ae47c963995ec6",
-    "zh:57796453455c20db80d9168edbf125bf6180e1aae869de1546a2be58e4e405ec",
-    "zh:69139cba772d4df8de87598d8d8a2b1b4b254866db046c061dccc79edb14e6b9",
-    "zh:7312763259b859ff911c5452ca8bdf7d0be6231c5ea0de2df8f09d51770900ac",
-    "zh:8d2d6f4015d3c155d7eb53e36f019a729aefb46ebfe13f3a637327d3a1402ecc",
-    "zh:94ce589275c77308e6253f607de96919b840c2dd36c44aa798f693c9dd81af42",
-    "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
-    "zh:adaceec6a1bf4f5df1e12bd72cf52b72087c72efed078aef636f8988325b1a8b",
-    "zh:d37be1ce187d94fd9df7b13a717c219964cd835c946243f096c6b230cdfd7e92",
-    "zh:fe6205b5ca2ff36e68395cb8d3ae10a3728f405cdbcd46b206a515e1ebcf17a1",
-  ]
-}
diff --git a/compute/autoscaling/variables.tf b/compute/autoscaling/variables.tf
index 7bce8be..64d5ae2 100644
--- a/compute/autoscaling/variables.tf
+++ b/compute/autoscaling/variables.tf
@@ -50,7 +50,7 @@ variable "desired_capacity" {
   default     = null
 
   validation {
-    condition     = var.desired_capacity == null || var.desired_capacity >= 0
+    condition = var.desired_capacity == null || var.desired_capacity >= 0
     error_message = "The desired_capacity must be null or 0 or greater."
   }
 }
@@ -91,7 +91,7 @@ variable "default_instance_warmup" {
   default     = null
 
   validation {
-    condition     = var.default_instance_warmup == null || var.default_instance_warmup >= 0
+    condition = var.default_instance_warmup == null || var.default_instance_warmup >= 0
     error_message = "The default_instance_warmup must be null or 0 or greater."
   }
 }
@@ -118,7 +118,7 @@ variable "max_instance_lifetime" {
   default     = null
 
   validation {
-    condition     = var.max_instance_lifetime == null || var.max_instance_lifetime == 0 || (var.max_instance_lifetime >= 86400 && var.max_instance_lifetime <= 31536000)
+    condition = var.max_instance_lifetime == null || var.max_instance_lifetime == 0 || (var.max_instance_lifetime >= 86400 && var.max_instance_lifetime <= 31536000)
     error_message = "The max_instance_lifetime must be null, 0, or between 86400 (1 day) and 31536000 (365 days)."
   }
 }
@@ -238,7 +238,7 @@ variable "service_linked_role_arn" {
   default     = null
 
   validation {
-    condition     = var.service_linked_role_arn == null || can(regex("^arn:aws:iam::", var.service_linked_role_arn))
+    condition = var.service_linked_role_arn == null || can(regex("^arn:aws:iam::", var.service_linked_role_arn))
     error_message = "The service_linked_role_arn must be null or a valid IAM role ARN starting with 'arn:aws:iam::'."
   }
 }
@@ -297,7 +297,7 @@ variable "launch_template_id" {
   default     = null
 
   validation {
-    condition     = var.launch_template_id == null || can(regex("^lt-", var.launch_template_id))
+    condition = var.launch_template_id == null || can(regex("^lt-", var.launch_template_id))
     error_message = "The launch_template_id must be null or a valid launch template ID starting with 'lt-'."
   }
 }
@@ -594,36 +594,44 @@ variable "mixed_instances_policy" {
   default     = null
 
   validation {
-    condition = var.mixed_instances_policy == null || (
-      var.mixed_instances_policy.instances_distribution == null ||
-      contains(["prioritized", "lowest-price"], coalesce(var.mixed_instances_policy.instances_distribution.on_demand_allocation_strategy, "prioritized"))
-    )
+    condition = try(
+      var.mixed_instances_policy == null || (
+        var.mixed_instances_policy.instances_distribution == null ||
+        contains(["prioritized", "lowest-price"], coalesce(var.mixed_instances_policy.instances_distribution.on_demand_allocation_strategy, "prioritized"))
+      )
+    , true)
     error_message = "The on_demand_allocation_strategy must be 'prioritized' or 'lowest-price'."
   }
 
   validation {
-    condition = var.mixed_instances_policy == null || (
-      var.mixed_instances_policy.instances_distribution == null ||
-      contains(["capacity-optimized", "capacity-optimized-prioritized", "lowest-price", "price-capacity-optimized"], coalesce(var.mixed_instances_policy.instances_distribution.spot_allocation_strategy, "capacity-optimized"))
-    )
+    condition = try(
+      var.mixed_instances_policy == null || (
+        var.mixed_instances_policy.instances_distribution == null ||
+        contains(["capacity-optimized", "capacity-optimized-prioritized", "lowest-price", "price-capacity-optimized"], coalesce(var.mixed_instances_policy.instances_distribution.spot_allocation_strategy, "capacity-optimized"))
+      )
+    , true)
     error_message = "The spot_allocation_strategy must be 'capacity-optimized', 'capacity-optimized-prioritized', 'lowest-price', or 'price-capacity-optimized'."
   }
 
   validation {
-    condition = var.mixed_instances_policy == null || (
-      var.mixed_instances_policy.instances_distribution == null || (
-        coalesce(var.mixed_instances_policy.instances_distribution.on_demand_percentage_above_base_capacity, 100) >= 0 &&
-        coalesce(var.mixed_instances_policy.instances_distribution.on_demand_percentage_above_base_capacity, 100) <= 100
+    condition = try(
+      var.mixed_instances_policy == null || (
+        var.mixed_instances_policy.instances_distribution == null || (
+          coalesce(var.mixed_instances_policy.instances_distribution.on_demand_percentage_above_base_capacity, 100) >= 0 &&
+          coalesce(var.mixed_instances_policy.instances_distribution.on_demand_percentage_above_base_capacity, 100) <= 100
+        )
       )
-    )
+    , true)
     error_message = "The on_demand_percentage_above_base_capacity must be between 0 and 100."
   }
 
   validation {
-    condition = var.mixed_instances_policy == null || (
-      var.mixed_instances_policy.instances_distribution == null ||
-      coalesce(var.mixed_instances_policy.instances_distribution.on_demand_base_capacity, 0) >= 0
-    )
+    condition = try(
+      var.mixed_instances_policy == null || (
+        var.mixed_instances_policy.instances_distribution == null ||
+        coalesce(var.mixed_instances_policy.instances_distribution.on_demand_base_capacity, 0) >= 0
+      )
+    , true)
     error_message = "The on_demand_base_capacity must be 0 or greater."
   }
 }
@@ -678,47 +686,59 @@ variable "instance_refresh" {
   default     = null
 
   validation {
-    condition = var.instance_refresh == null || (
-      contains(["Rolling"], coalesce(var.instance_refresh.strategy, "Rolling"))
-    )
+    condition = try(
+      var.instance_refresh == null || (
+        contains(["Rolling"], coalesce(var.instance_refresh.strategy, "Rolling"))
+      )
+    , true)
     error_message = "The instance_refresh strategy must be 'Rolling'."
   }
 
   validation {
-    condition = var.instance_refresh == null || var.instance_refresh.preferences == null || (
-      coalesce(var.instance_refresh.preferences.min_healthy_percentage, 90) >= 0 &&
-      coalesce(var.instance_refresh.preferences.min_healthy_percentage, 90) <= 100
-    )
+    condition = try(
+      var.instance_refresh == null || var.instance_refresh.preferences == null || (
+        coalesce(var.instance_refresh.preferences.min_healthy_percentage, 90) >= 0 &&
+        coalesce(var.instance_refresh.preferences.min_healthy_percentage, 90) <= 100
+      )
+    , true)
     error_message = "The min_healthy_percentage must be between 0 and 100."
   }
 
   validation {
-    condition = var.instance_refresh == null || var.instance_refresh.preferences == null || (
-      coalesce(var.instance_refresh.preferences.max_healthy_percentage, 100) >= 100 &&
-      coalesce(var.instance_refresh.preferences.max_healthy_percentage, 100) <= 200
-    )
+    condition = try(
+      var.instance_refresh == null || var.instance_refresh.preferences == null || (
+        coalesce(var.instance_refresh.preferences.max_healthy_percentage, 100) >= 100 &&
+        coalesce(var.instance_refresh.preferences.max_healthy_percentage, 100) <= 200
+      )
+    , true)
     error_message = "The max_healthy_percentage must be between 100 and 200."
   }
 
   validation {
-    condition = var.instance_refresh == null || var.instance_refresh.preferences == null || (
-      contains(["Refresh", "Ignore", "Wait"], coalesce(var.instance_refresh.preferences.scale_in_protected_instances, "Ignore"))
-    )
+    condition = try(
+      var.instance_refresh == null || var.instance_refresh.preferences == null || (
+        contains(["Refresh", "Ignore", "Wait"], coalesce(var.instance_refresh.preferences.scale_in_protected_instances, "Ignore"))
+      )
+    , true)
     error_message = "The scale_in_protected_instances must be 'Refresh', 'Ignore', or 'Wait'."
   }
 
   validation {
-    condition = var.instance_refresh == null || var.instance_refresh.preferences == null || (
-      contains(["Terminate", "Ignore", "Wait"], coalesce(var.instance_refresh.preferences.standby_instances, "Ignore"))
-    )
+    condition = try(
+      var.instance_refresh == null || var.instance_refresh.preferences == null || (
+        contains(["Terminate", "Ignore", "Wait"], coalesce(var.instance_refresh.preferences.standby_instances, "Ignore"))
+      )
+    , true)
     error_message = "The standby_instances must be 'Terminate', 'Ignore', or 'Wait'."
   }
 
   validation {
-    condition = var.instance_refresh == null || var.instance_refresh.preferences == null || (
-      var.instance_refresh.preferences.checkpoint_percentages == null ||
-      alltrue([for p in var.instance_refresh.preferences.checkpoint_percentages : p >= 0 && p <= 100])
-    )
+    condition = try(
+      var.instance_refresh == null || var.instance_refresh.preferences == null || (
+        var.instance_refresh.preferences.checkpoint_percentages == null ||
+        alltrue([for p in var.instance_refresh.preferences.checkpoint_percentages : p >= 0 && p <= 100])
+      )
+    , true)
     error_message = "All checkpoint_percentages must be between 0 and 100."
   }
 }
@@ -752,24 +772,30 @@ variable "warm_pool" {
   default     = null
 
   validation {
-    condition = var.warm_pool == null || (
-      contains(["Stopped", "Running", "Hibernated"], coalesce(var.warm_pool.pool_state, "Stopped"))
-    )
+    condition = try(
+      var.warm_pool == null || (
+        contains(["Stopped", "Running", "Hibernated"], coalesce(var.warm_pool.pool_state, "Stopped"))
+      )
+    , true)
     error_message = "The pool_state must be 'Stopped', 'Running', or 'Hibernated'."
   }
 
   validation {
-    condition = var.warm_pool == null || (
-      coalesce(var.warm_pool.min_size, 0) >= 0
-    )
+    condition = try(
+      var.warm_pool == null || (
+        coalesce(var.warm_pool.min_size, 0) >= 0
+      )
+    , true)
     error_message = "The warm_pool min_size must be 0 or greater."
   }
 
   validation {
-    condition = var.warm_pool == null || (
-      var.warm_pool.max_group_prepared_capacity == null ||
-      var.warm_pool.max_group_prepared_capacity >= 0
-    )
+    condition = try(
+      var.warm_pool == null || (
+        var.warm_pool.max_group_prepared_capacity == null ||
+        var.warm_pool.max_group_prepared_capacity >= 0
+      )
+    , true)
     error_message = "The max_group_prepared_capacity must be null or 0 or greater."
   }
 }
@@ -834,18 +860,22 @@ variable "lifecycle_hooks" {
   }
 
   validation {
-    condition = alltrue([
-      for hook in var.lifecycle_hooks :
-      hook.notification_target_arn == null || can(regex("^arn:aws:(sns|sqs):", hook.notification_target_arn))
-    ])
+    condition = try(
+      alltrue([
+        for hook in var.lifecycle_hooks :
+        hook.notification_target_arn == null || can(regex("^arn:aws:(sns|sqs):", hook.notification_target_arn))
+      ])
+    , true)
     error_message = "Each notification_target_arn must be null or a valid SNS topic or SQS queue ARN."
   }
 
   validation {
-    condition = alltrue([
-      for hook in var.lifecycle_hooks :
-      hook.role_arn == null || can(regex("^arn:aws:iam::", hook.role_arn))
-    ])
+    condition = try(
+      alltrue([
+        for hook in var.lifecycle_hooks :
+        hook.role_arn == null || can(regex("^arn:aws:iam::", hook.role_arn))
+      ])
+    , true)
     error_message = "Each role_arn must be null or a valid IAM role ARN."
   }
 }
@@ -1087,69 +1117,83 @@ variable "scaling_policies" {
   }
 
   validation {
-    condition = alltrue([
-      for policy in var.scaling_policies :
-      policy.adjustment_type == null || contains(["ChangeInCapacity", "ExactCapacity", "PercentChangeInCapacity"], policy.adjustment_type)
-    ])
+    condition = try(
+      alltrue([
+        for policy in var.scaling_policies :
+        policy.adjustment_type == null || contains(["ChangeInCapacity", "ExactCapacity", "PercentChangeInCapacity"], policy.adjustment_type)
+      ])
+    , true)
     error_message = "Each adjustment_type must be 'ChangeInCapacity', 'ExactCapacity', or 'PercentChangeInCapacity'."
   }
 
   validation {
-    condition = alltrue([
-      for policy in var.scaling_policies :
-      policy.metric_aggregation_type == null || contains(["Minimum", "Maximum", "Average"], policy.metric_aggregation_type)
-    ])
+    condition = try(
+      alltrue([
+        for policy in var.scaling_policies :
+        policy.metric_aggregation_type == null || contains(["Minimum", "Maximum", "Average"], policy.metric_aggregation_type)
+      ])
+    , true)
     error_message = "Each metric_aggregation_type must be 'Minimum', 'Maximum', or 'Average'."
   }
 
   validation {
-    condition = alltrue([
-      for policy in var.scaling_policies :
-      policy.target_tracking_configuration == null ||
-      policy.target_tracking_configuration.predefined_metric_specification == null ||
-      contains(
-        ["ASGAverageCPUUtilization", "ASGAverageNetworkIn", "ASGAverageNetworkOut", "ALBRequestCountPerTarget"],
-        policy.target_tracking_configuration.predefined_metric_specification.predefined_metric_type
-      )
-    ])
+    condition = try(
+      alltrue([
+        for policy in var.scaling_policies :
+        policy.target_tracking_configuration == null ||
+        policy.target_tracking_configuration.predefined_metric_specification == null ||
+        contains(
+          ["ASGAverageCPUUtilization", "ASGAverageNetworkIn", "ASGAverageNetworkOut", "ALBRequestCountPerTarget"],
+          policy.target_tracking_configuration.predefined_metric_specification.predefined_metric_type
+        )
+      ])
+    , true)
     error_message = "Each predefined_metric_type for target tracking must be 'ASGAverageCPUUtilization', 'ASGAverageNetworkIn', 'ASGAverageNetworkOut', or 'ALBRequestCountPerTarget'."
   }
 
   validation {
-    condition = alltrue([
-      for policy in var.scaling_policies :
-      policy.predictive_scaling_configuration == null ||
-      contains(["ForecastAndScale", "ForecastOnly"], coalesce(policy.predictive_scaling_configuration.mode, "ForecastOnly"))
-    ])
+    condition = try(
+      alltrue([
+        for policy in var.scaling_policies :
+        policy.predictive_scaling_configuration == null ||
+        contains(["ForecastAndScale", "ForecastOnly"], coalesce(policy.predictive_scaling_configuration.mode, "ForecastOnly"))
+      ])
+    , true)
     error_message = "Each predictive scaling mode must be 'ForecastAndScale' or 'ForecastOnly'."
   }
 
   validation {
-    condition = alltrue([
-      for policy in var.scaling_policies :
-      policy.predictive_scaling_configuration == null ||
-      contains(["IncreaseMaxCapacity", "HonorMaxCapacity"], coalesce(policy.predictive_scaling_configuration.max_capacity_breach_behavior, "HonorMaxCapacity"))
-    ])
+    condition = try(
+      alltrue([
+        for policy in var.scaling_policies :
+        policy.predictive_scaling_configuration == null ||
+        contains(["IncreaseMaxCapacity", "HonorMaxCapacity"], coalesce(policy.predictive_scaling_configuration.max_capacity_breach_behavior, "HonorMaxCapacity"))
+      ])
+    , true)
     error_message = "Each max_capacity_breach_behavior must be 'IncreaseMaxCapacity' or 'HonorMaxCapacity'."
   }
 
   validation {
-    condition = alltrue([
-      for policy in var.scaling_policies :
-      policy.predictive_scaling_configuration == null ||
-      policy.predictive_scaling_configuration.scheduling_buffer_time == null ||
-      (policy.predictive_scaling_configuration.scheduling_buffer_time >= 0 && policy.predictive_scaling_configuration.scheduling_buffer_time <= 3600)
-    ])
+    condition = try(
+      alltrue([
+        for policy in var.scaling_policies :
+        policy.predictive_scaling_configuration == null ||
+        policy.predictive_scaling_configuration.scheduling_buffer_time == null ||
+        (policy.predictive_scaling_configuration.scheduling_buffer_time >= 0 && policy.predictive_scaling_configuration.scheduling_buffer_time <= 3600)
+      ])
+    , true)
     error_message = "Each scheduling_buffer_time must be between 0 and 3600 seconds."
   }
 
   validation {
-    condition = alltrue([
-      for policy in var.scaling_policies :
-      policy.predictive_scaling_configuration == null ||
-      policy.predictive_scaling_configuration.max_capacity_buffer == null ||
-      (policy.predictive_scaling_configuration.max_capacity_buffer >= 0 && policy.predictive_scaling_configuration.max_capacity_buffer <= 100)
-    ])
+    condition = try(
+      alltrue([
+        for policy in var.scaling_policies :
+        policy.predictive_scaling_configuration == null ||
+        policy.predictive_scaling_configuration.max_capacity_buffer == null ||
+        (policy.predictive_scaling_configuration.max_capacity_buffer >= 0 && policy.predictive_scaling_configuration.max_capacity_buffer <= 100)
+      ])
+    , true)
     error_message = "Each max_capacity_buffer must be between 0 and 100."
   }
 }
@@ -1181,25 +1225,29 @@ variable "notifications" {
   default     = null
 
   validation {
-    condition = var.notifications == null || (
-      can(regex("^arn:aws:sns:", var.notifications.topic_arn))
-    )
+    condition = try(
+      var.notifications == null || (
+        can(regex("^arn:aws:sns:", var.notifications.topic_arn))
+      )
+    , true)
     error_message = "The topic_arn must be a valid SNS topic ARN starting with 'arn:aws:sns:'."
   }
 
   validation {
-    condition = var.notifications == null || (
-      alltrue([
-        for notification in coalesce(var.notifications.notifications, []) :
-        contains([
-          "autoscaling:EC2_INSTANCE_LAUNCH",
-          "autoscaling:EC2_INSTANCE_LAUNCH_ERROR",
-          "autoscaling:EC2_INSTANCE_TERMINATE",
-          "autoscaling:EC2_INSTANCE_TERMINATE_ERROR",
-          "autoscaling:TEST_NOTIFICATION"
-        ], notification)
-      ])
-    )
+    condition = try(
+      var.notifications == null || (
+        alltrue([
+          for notification in coalesce(var.notifications.notifications, []) :
+          contains([
+            "autoscaling:EC2_INSTANCE_LAUNCH",
+            "autoscaling:EC2_INSTANCE_LAUNCH_ERROR",
+            "autoscaling:EC2_INSTANCE_TERMINATE",
+            "autoscaling:EC2_INSTANCE_TERMINATE_ERROR",
+            "autoscaling:TEST_NOTIFICATION"
+          ], notification)
+        ])
+      )
+    , true)
     error_message = "Each notification must be one of: 'autoscaling:EC2_INSTANCE_LAUNCH', 'autoscaling:EC2_INSTANCE_LAUNCH_ERROR', 'autoscaling:EC2_INSTANCE_TERMINATE', 'autoscaling:EC2_INSTANCE_TERMINATE_ERROR', 'autoscaling:TEST_NOTIFICATION'."
   }
 }
@@ -1294,26 +1342,32 @@ variable "schedules" {
   }
 
   validation {
-    condition = alltrue([
-      for schedule in var.schedules :
-      schedule.min_size == null || schedule.min_size >= 0
-    ])
+    condition = try(
+      alltrue([
+        for schedule in var.schedules :
+        schedule.min_size == null || schedule.min_size >= 0
+      ])
+    , true)
     error_message = "Each schedule min_size must be null or 0 or greater."
   }
 
   validation {
-    condition = alltrue([
-      for schedule in var.schedules :
-      schedule.max_size == null || schedule.max_size >= 1
-    ])
+    condition = try(
+      alltrue([
+        for schedule in var.schedules :
+        schedule.max_size == null || schedule.max_size >= 1
+      ])
+    , true)
     error_message = "Each schedule max_size must be null or at least 1."
   }
 
   validation {
-    condition = alltrue([
-      for schedule in var.schedules :
-      schedule.desired_capacity == null || schedule.desired_capacity >= 0
-    ])
+    condition = try(
+      alltrue([
+        for schedule in var.schedules :
+        schedule.desired_capacity == null || schedule.desired_capacity >= 0
+      ])
+    , true)
     error_message = "Each schedule desired_capacity must be null or 0 or greater."
   }
 }
@@ -1336,17 +1390,19 @@ variable "instance_maintenance_policy" {
   default     = null
 
   validation {
-    condition = var.instance_maintenance_policy == null || (
+    condition = try(
       coalesce(var.instance_maintenance_policy.min_healthy_percentage, 90) >= 0 &&
-      coalesce(var.instance_maintenance_policy.min_healthy_percentage, 90) <= 100
+      coalesce(var.instance_maintenance_policy.min_healthy_percentage, 90) <= 100,
+      true
     )
     error_message = "The min_healthy_percentage must be between 0 and 100."
   }
 
   validation {
-    condition = var.instance_maintenance_policy == null || (
+    condition = try(
       coalesce(var.instance_maintenance_policy.max_healthy_percentage, 120) >= 100 &&
-      coalesce(var.instance_maintenance_policy.max_healthy_percentage, 120) <= 200
+      coalesce(var.instance_maintenance_policy.max_healthy_percentage, 120) <= 200,
+      true
     )
     error_message = "The max_healthy_percentage must be between 100 and 200."
   }
diff --git a/compute/ecs_cluster/.terraform.lock.hcl b/compute/ecs_cluster/.terraform.lock.hcl
deleted file mode 100644
index 28ffb2f..0000000
--- a/compute/ecs_cluster/.terraform.lock.hcl
+++ /dev/null
@@ -1,25 +0,0 @@
-# This file is maintained automatically by "tofu init".
-# Manual edits may be lost in future updates.
-
-provider "registry.opentofu.org/hashicorp/aws" {
-  version     = "6.39.0"
-  constraints = ">= 5.0.0"
-  hashes = [
-    "h1:c9SG8ZdYgzqpxORpTqeLFeXW4qQQ8GMGCcUkU+FAfQM=",
-    "zh:00a6c0d8b5b86833087e367b632e9ab73fb8db9c43569020ebd0489dc2c919ce",
-    "zh:05f2b56211f4c8a0b66a093d025187cbc7be086dedef62306f5a28290598ebdc",
-    "zh:24d97a31d5ab814c33ed32a5b7674f1a15544b2367a95bddd00cfdd8d6b82740",
-    "zh:258194e24ac07ee194d580ca25a25fa7bc48fa40fed4fd58352b0a64da0da4c9",
-    "zh:315337e5f0ccafeadf490f117151b52c6d66244bf652f4fee975eddda662af3b",
-    "zh:38573dd56cca8c0ffe33396cf17cc8bd13de1d27d3c4da4177e485d174f1eaf0",
-    "zh:4baa806c5eb8faae95cea3f1dfafb153b5e3e96c5b30a2102072da4f032d2d9b",
-    "zh:4f258106baca7e00a6904b2353579d283e4400a75cd0353a25e057921e8a8d96",
-    "zh:62e5d4628d03883a6c2a6e3c297eb54df9b5935e9e3a655dbb1c6c5ddaf7ea33",
-    "zh:8af5fae01c1cef65d149fa6fe47e94cf46ffa97d29e8f2dfe41aeae01da590ea",
-    "zh:a8240b40f7be408ac24897597a85dc4fe56f390224b11ecad2c1327e686fca58",
-    "zh:c549eee2a0cf0e2c4a676614d990121b685beab0047b1073407ee26247c4be13",
-    "zh:cfed074ba8948c75445c74c69722cb17c960024b1917b4f26905aa9c9ac4e667",
-    "zh:d6f4f4fa01e33d0d546705e2776f38d0b4f2847827b3f07ecde87cc02ef3d23e",
-    "zh:e7239b349c3149e4670750481b687c5c828908fd09f2196d7af1ac1b4d83e80b",
-  ]
-}
diff --git a/compute/ecs_cluster/data.tf b/compute/ecs_cluster/data.tf
index 9b78bc4..24bad9e 100644
--- a/compute/ecs_cluster/data.tf
+++ b/compute/ecs_cluster/data.tf
@@ -15,4 +15,5 @@ data "aws_region" "current" {}
 # Get current AWS account ID
 data "aws_caller_identity" "current" {}
 
-
+# DnsProvider lookups for cert groups live inside the shared
+# `ravion_cert_groups` child module (per-group + platform-apex).
diff --git a/compute/ecs_cluster/load_balancers.tf b/compute/ecs_cluster/load_balancers.tf
index 9eaec97..4a90630 100644
--- a/compute/ecs_cluster/load_balancers.tf
+++ b/compute/ecs_cluster/load_balancers.tf
@@ -19,8 +19,10 @@ module "public_alb" {
   enable_https_listener  = var.public_alb_enable_https
   http_to_https_redirect = var.public_alb_enable_https
 
-  # SSL/TLS
-  certificate_arns = var.public_alb_certificate_arns
+  # SSL/TLS — when the cluster manages domains via Ravion, the wildcard
+  # cert issued in ravion_domains.tf is wired in as the default; the
+  # BYO list is appended for SNI on customer-supplied domains.
+  certificate_arns = local.public_alb_effective_certificate_arns
   ssl_policy       = var.public_alb_ssl_policy
 
   # ALB settings
diff --git a/compute/ecs_cluster/locals.tf b/compute/ecs_cluster/locals.tf
index 4db1e88..e6b6a2d 100644
--- a/compute/ecs_cluster/locals.tf
+++ b/compute/ecs_cluster/locals.tf
@@ -1,5 +1,17 @@
 locals {
   region = coalesce(var.region, data.aws_region.current.id)
+
+  # Listener cert list: BYO ARNs first (user's choice as default cert),
+  # then every cert-group's wildcard cert as SNI extras. When BYO is
+  # empty, the first cert-group cert becomes default. Both empty =
+  # ALB module errors (HTTPS without a cert is invalid).
+  cert_group_arns = [
+    for _name, g in module.ravion_cert_groups.parent_groups : g.cert_arn
+  ]
+  public_alb_effective_certificate_arns = concat(
+    var.public_alb_certificate_arns,
+    local.cert_group_arns,
+  )
 }
 
 ################################################################################
diff --git a/compute/ecs_cluster/module.yml b/compute/ecs_cluster/module.yml
index 7232a55..f2bf24b 100644
--- a/compute/ecs_cluster/module.yml
+++ b/compute/ecs_cluster/module.yml
@@ -324,16 +324,49 @@ input:
         default: false
         show_when:
           enable_public_alb: true
+    - use_ravion_subdomain:
+        type: boolean
+        label: "Use a Ravion-generated subdomain"
+        description: "Skip DNS setup — Ravion allocates *.<module-instance-id>.ravion.app and issues the wildcard cert. Turn off to bring your own zone (Cloudflare, Route53, etc.)."
+        default: true
+        show_when:
+          enable_public_alb: true
+          public_alb_enable_https: true
+    - ravion_dns_provider_id:
+        type: string
+        label: "DNS Provider"
+        description: "Ravion DnsProvider the cluster's wildcard FQDN lives under. Register providers (Route53, Cloudflare, or other) on the DNS Providers settings page. Only consulted when use_ravion_subdomain is off."
+        show_when:
+          enable_public_alb: true
+          public_alb_enable_https: true
+          use_ravion_subdomain: false
+        values: "$values:ravion/dns-providers-customer"
+    - ravion_dns_provider_given_id:
+        type: string
+        label: "DNS Provider (by stable id)"
+        description: "Per-org stable identifier — same dual-lookup as ravion_dns_provider_id. Use this when module definitions are shared across orgs that reference the same provider by name."
+        show_when:
+          enable_public_alb: true
+          public_alb_enable_https: true
+          use_ravion_subdomain: false
+          ravion_dns_provider_id: ""
+    - ravion_cluster_slug:
+        type: string
+        label: "FQDN Slug"
+        description: "Human-readable slug used to derive the cluster's FQDN (<slug>-<hash>.<apex>). Defaults to the cluster name when empty. Ignored in auto-mode (uses the module-instance id as the literal label)."
+        show_when:
+          enable_public_alb: true
+          public_alb_enable_https: true
+          use_ravion_subdomain: false
     - public_alb_certificate_arns:
         type: list
-        label: "ACM Certificate ARNs"
-        description: "ACM certificate ARNs for HTTPS. The first ARN is the default certificate; additional ARNs are attached for SNI"
+        label: "ACM Certificate ARNs (BYO)"
+        description: "ACM certificate ARNs for HTTPS. Used directly when no DNS provider is selected, or appended after the Ravion-managed wildcard cert as additional SNI certificates. The first ARN is the listener's default in BYO mode."
+        default: []
         show_when:
           enable_public_alb: true
           public_alb_enable_https: true
         validation:
-          required: true
-          min_length: 1
           patterns:
             - pattern: "^arn:aws:acm:[a-z0-9-]+:[0-9]+:certificate/[a-z0-9-]+$"
               message: "Must be a valid ACM certificate ARN"
@@ -515,6 +548,13 @@ output:
   public_alb_security_group_id: string
   public_alb_http_listener_arn: string
   public_alb_https_listener_arn: string
+  # Ravion managed domains
+  ravion_managed_domains_enabled: boolean
+  ravion_cluster_domain_allocation_id: string
+  ravion_cluster_managed_domain_id: string
+  ravion_cluster_fqdn: string
+  ravion_cluster_certificate_arn: string
+  ravion_dns_provider_id: string
   # Private ALB
   private_alb_arn: string
   private_alb_id: string
diff --git a/compute/ecs_cluster/outputs.tf b/compute/ecs_cluster/outputs.tf
index 8d5a5cd..4025b64 100644
--- a/compute/ecs_cluster/outputs.tf
+++ b/compute/ecs_cluster/outputs.tf
@@ -240,3 +240,15 @@ output "region" {
   description = "The AWS region where the resources are deployed."
   value       = local.region
 }
+
+################################################################################
+# Ravion domain control plane outputs
+#
+# Consumed by sibling ecs_service modules to allocate child FQDNs that
+# inherit the cluster's wildcard cert via SNI.
+################################################################################
+
+output "ravion_certificate_groups" {
+  description = "Map of cluster cert-group name → {parent_allocation_id, wildcard_fqdn, cert_arn, managed_domain_id}. Service modules consume this via their cert groups (kind = inherit, parent_group_name = \"<name>\")."
+  value       = module.ravion_cert_groups.parent_groups
+}
diff --git a/compute/ecs_cluster/ravion_domains.tf b/compute/ecs_cluster/ravion_domains.tf
new file mode 100644
index 0000000..d633274
--- /dev/null
+++ b/compute/ecs_cluster/ravion_domains.tf
@@ -0,0 +1,22 @@
+################################################################################
+# Cluster-side instantiation of the shared cert-groups module in parent mode.
+#
+# Each row in var.ravion_certificate_groups creates ONE wildcard ACM
+# cert + ONE parent DomainAllocation services can nest under. NO
+# listener rules + NO routing records at the cluster level — services
+# own routing for their leaf FQDNs.
+################################################################################
+
+module "ravion_cert_groups" {
+  source = "../../_shared/ravion_cert_groups"
+
+  name               = var.name
+  mode               = "parent"
+  cert_groups        = var.ravion_certificate_groups
+  module_instance_id = var.module_instance_id
+
+  # SNI cert attachment lands on the cluster's HTTPS listener.
+  listener_arn = var.enable_public_alb && var.public_alb_enable_https ? module.public_alb[0].https_listener_arn : null
+
+  tags = var.tags
+}
diff --git a/compute/ecs_cluster/variables.tf b/compute/ecs_cluster/variables.tf
index c7e37d7..5eb9d8f 100644
--- a/compute/ecs_cluster/variables.tf
+++ b/compute/ecs_cluster/variables.tf
@@ -169,7 +169,7 @@ variable "ec2_ami_id" {
   default     = null
 
   validation {
-    condition     = var.ec2_ami_id == null || can(regex("^ami-", var.ec2_ami_id))
+    condition = var.ec2_ami_id == null || can(regex("^ami-", var.ec2_ami_id))
     error_message = "The ec2_ami_id must be a valid AMI ID starting with 'ami-'."
   }
 }
@@ -414,7 +414,7 @@ variable "public_alb_access_logs_bucket_arn" {
   default     = null
 
   validation {
-    condition     = var.public_alb_access_logs_bucket_arn == null || can(regex("^arn:aws:s3:::", var.public_alb_access_logs_bucket_arn))
+    condition = var.public_alb_access_logs_bucket_arn == null || can(regex("^arn:aws:s3:::", var.public_alb_access_logs_bucket_arn))
     error_message = "The public_alb_access_logs_bucket_arn must be a valid S3 bucket ARN."
   }
 }
@@ -425,7 +425,7 @@ variable "public_alb_web_acl_arn" {
   default     = null
 
   validation {
-    condition     = var.public_alb_web_acl_arn == null || can(regex("^arn:aws:wafv2:", var.public_alb_web_acl_arn))
+    condition = var.public_alb_web_acl_arn == null || can(regex("^arn:aws:wafv2:", var.public_alb_web_acl_arn))
     error_message = "The public_alb_web_acl_arn must be a valid WAFv2 Web ACL ARN."
   }
 }
@@ -497,7 +497,7 @@ variable "private_alb_access_logs_bucket_arn" {
   default     = null
 
   validation {
-    condition     = var.private_alb_access_logs_bucket_arn == null || can(regex("^arn:aws:s3:::", var.private_alb_access_logs_bucket_arn))
+    condition = var.private_alb_access_logs_bucket_arn == null || can(regex("^arn:aws:s3:::", var.private_alb_access_logs_bucket_arn))
     error_message = "The private_alb_access_logs_bucket_arn must be a valid S3 bucket ARN."
   }
 }
@@ -541,7 +541,7 @@ variable "public_nlb_access_logs_bucket_arn" {
   default     = null
 
   validation {
-    condition     = var.public_nlb_access_logs_bucket_arn == null || can(regex("^arn:aws:s3:::", var.public_nlb_access_logs_bucket_arn))
+    condition = var.public_nlb_access_logs_bucket_arn == null || can(regex("^arn:aws:s3:::", var.public_nlb_access_logs_bucket_arn))
     error_message = "The public_nlb_access_logs_bucket_arn must be a valid S3 bucket ARN."
   }
 }
@@ -602,7 +602,7 @@ variable "private_nlb_access_logs_bucket_arn" {
   default     = null
 
   validation {
-    condition     = var.private_nlb_access_logs_bucket_arn == null || can(regex("^arn:aws:s3:::", var.private_nlb_access_logs_bucket_arn))
+    condition = var.private_nlb_access_logs_bucket_arn == null || can(regex("^arn:aws:s3:::", var.private_nlb_access_logs_bucket_arn))
     error_message = "The private_nlb_access_logs_bucket_arn must be a valid S3 bucket ARN."
   }
 }
@@ -629,3 +629,57 @@ variable "region" {
   description = "AWS region. When null, the provider's configured region is used."
   default     = null
 }
+
+################################################################################
+# Ravion domain control plane — cluster wildcard cert groups
+#
+# Each row in var.ravion_certificate_groups creates ONE wildcard ACM
+# cert covering `*.<wildcard_fqdn>` and attaches it as an SNI cert on
+# the cluster's HTTPS listener. Services nest leaf FQDNs under any of
+# these wildcards via their own cert groups (kind = inherit,
+# parent_group_name = "<this group's name>"). Three kinds:
+#
+#   ravion_auto — Ravion-managed apex. Wildcard FQDN is auto-derived as
+#                 `<module-instance-id>.<platform-apex>`. Zero typing.
+#   customer    — Operator's own DnsProvider on the row + wildcard_fqdn
+#                 typed by the operator. Wildcard cert covers
+#                 `*.<wildcard_fqdn>`.
+#   external    — (commit 86) external DNS the operator manages by hand;
+#                 cert + records are surfaced for the user to add.
+################################################################################
+
+variable "ravion_certificate_groups" {
+  type = list(object({
+    name                  = string
+    kind                  = string
+    dns_provider_id       = optional(string)
+    dns_provider_given_id = optional(string)
+    wildcard_fqdn         = optional(string)
+    domains               = optional(list(string), [])
+  }))
+  description = "Cluster-level wildcard cert groups. Services nest under one of these via their own cert groups."
+  default     = []
+
+  validation {
+    condition     = alltrue([for g in var.ravion_certificate_groups : contains(["ravion_auto", "customer", "external"], g.kind)])
+    error_message = "Each group's `kind` must be one of: ravion_auto, customer, external."
+  }
+  validation {
+    condition     = length(distinct([for g in var.ravion_certificate_groups : g.name])) == length(var.ravion_certificate_groups)
+    error_message = "Cert group names must be unique."
+  }
+  validation {
+    condition     = alltrue([for g in var.ravion_certificate_groups : g.kind == "ravion_auto" || (g.wildcard_fqdn != null && g.wildcard_fqdn != "")])
+    error_message = "customer/external groups must set wildcard_fqdn."
+  }
+  validation {
+    condition     = alltrue([for g in var.ravion_certificate_groups : g.kind != "customer" || g.dns_provider_id != null || g.dns_provider_given_id != null])
+    error_message = "customer groups must set dns_provider_id or dns_provider_given_id."
+  }
+}
+
+variable "module_instance_id" {
+  type        = string
+  description = "Cluster module-instance id, injected by the Ravion runner. Used by ravion_auto cert groups to derive the wildcard FQDN slug."
+  default     = null
+}
diff --git a/compute/ecs_cluster/versions.tf b/compute/ecs_cluster/versions.tf
index bec739b..7c09685 100644
--- a/compute/ecs_cluster/versions.tf
+++ b/compute/ecs_cluster/versions.tf
@@ -12,7 +12,14 @@ terraform {
       source  = "hashicorp/aws"
       version = ">= 6.0"
     }
+    # The V2 provider exposes `data.ravion_dns_provider` (discriminated
+    # data source) + `ravion_dns_records` (now SDK-backed: when the
+    # api-go side has a real writer for the provider type, the resource
+    # write triggers the real DNS write via the api-go's per-provider
+    # SDK — no per-provider HCL needed here).
+    ravion = {
+      source  = "ravion.com/ravion/domains"
+      version = ">= 2.0.0"
+    }
   }
 }
-
-
diff --git a/compute/ecs_service/.terraform.lock.hcl b/compute/ecs_service/.terraform.lock.hcl
deleted file mode 100644
index 28ffb2f..0000000
--- a/compute/ecs_service/.terraform.lock.hcl
+++ /dev/null
@@ -1,25 +0,0 @@
-# This file is maintained automatically by "tofu init".
-# Manual edits may be lost in future updates.
-
-provider "registry.opentofu.org/hashicorp/aws" {
-  version     = "6.39.0"
-  constraints = ">= 5.0.0"
-  hashes = [
-    "h1:c9SG8ZdYgzqpxORpTqeLFeXW4qQQ8GMGCcUkU+FAfQM=",
-    "zh:00a6c0d8b5b86833087e367b632e9ab73fb8db9c43569020ebd0489dc2c919ce",
-    "zh:05f2b56211f4c8a0b66a093d025187cbc7be086dedef62306f5a28290598ebdc",
-    "zh:24d97a31d5ab814c33ed32a5b7674f1a15544b2367a95bddd00cfdd8d6b82740",
-    "zh:258194e24ac07ee194d580ca25a25fa7bc48fa40fed4fd58352b0a64da0da4c9",
-    "zh:315337e5f0ccafeadf490f117151b52c6d66244bf652f4fee975eddda662af3b",
-    "zh:38573dd56cca8c0ffe33396cf17cc8bd13de1d27d3c4da4177e485d174f1eaf0",
-    "zh:4baa806c5eb8faae95cea3f1dfafb153b5e3e96c5b30a2102072da4f032d2d9b",
-    "zh:4f258106baca7e00a6904b2353579d283e4400a75cd0353a25e057921e8a8d96",
-    "zh:62e5d4628d03883a6c2a6e3c297eb54df9b5935e9e3a655dbb1c6c5ddaf7ea33",
-    "zh:8af5fae01c1cef65d149fa6fe47e94cf46ffa97d29e8f2dfe41aeae01da590ea",
-    "zh:a8240b40f7be408ac24897597a85dc4fe56f390224b11ecad2c1327e686fca58",
-    "zh:c549eee2a0cf0e2c4a676614d990121b685beab0047b1073407ee26247c4be13",
-    "zh:cfed074ba8948c75445c74c69722cb17c960024b1917b4f26905aa9c9ac4e667",
-    "zh:d6f4f4fa01e33d0d546705e2776f38d0b4f2847827b3f07ecde87cc02ef3d23e",
-    "zh:e7239b349c3149e4670750481b687c5c828908fd09f2196d7af1ac1b4d83e80b",
-  ]
-}
diff --git a/compute/ecs_service/auto_scaling.tf b/compute/ecs_service/auto_scaling.tf
index a52651b..f5d10c0 100644
--- a/compute/ecs_service/auto_scaling.tf
+++ b/compute/ecs_service/auto_scaling.tf
@@ -71,7 +71,7 @@ resource "aws_appautoscaling_policy" "target_tracking" {
 ################################################################################
 
 resource "aws_appautoscaling_scheduled_action" "this" {
-  for_each = local.enable_auto_scaling && var.auto_scaling.scheduled != null ? {
+  for_each = local.enable_auto_scaling && try(var.auto_scaling.scheduled, null) != null ? {
     for action in var.auto_scaling.scheduled : action.name => action
   } : {}
 
diff --git a/compute/ecs_service/data.tf b/compute/ecs_service/data.tf
index 7d2d538..7fadc60 100644
--- a/compute/ecs_service/data.tf
+++ b/compute/ecs_service/data.tf
@@ -12,4 +12,6 @@ data "aws_vpc" "this" {
   id = var.vpc_id
 }
 
+# DnsProvider lookups (per cert-group + platform apex) live inside the
+# shared ravion_cert_groups child module.
 
diff --git a/compute/ecs_service/locals.tf b/compute/ecs_service/locals.tf
index c0fe0ad..13e309c 100644
--- a/compute/ecs_service/locals.tf
+++ b/compute/ecs_service/locals.tf
@@ -19,10 +19,10 @@ locals {
   deployment_controller_type = var.deployment_type == "blue_green" ? "CODE_DEPLOY" : "ECS"
 
   # Determine if load balancer is configured
-  enable_load_balancer = var.load_balancer_attachment != null && var.load_balancer_attachment.enabled
+  enable_load_balancer = try(var.load_balancer_attachment.enabled, false)
 
   # Determine if NLB listener should be created (vs ALB listener rules)
-  enable_nlb_listener = local.enable_load_balancer && var.load_balancer_attachment.nlb_listener != null
+  enable_nlb_listener = local.enable_load_balancer && try(var.load_balancer_attachment.nlb_listener, null) != null
 
   # Placeholder container name and port
   placeholder_container_name = "app"
@@ -105,7 +105,7 @@ locals {
   ])
 
   # Auto scaling settings
-  enable_auto_scaling = var.auto_scaling != null && var.auto_scaling.enabled
+  enable_auto_scaling = try(var.auto_scaling.enabled, false)
 
   # Service discovery settings
   enable_service_discovery = var.service_discovery != null
diff --git a/compute/ecs_service/outputs.tf b/compute/ecs_service/outputs.tf
index a21ab18..a776c23 100644
--- a/compute/ecs_service/outputs.tf
+++ b/compute/ecs_service/outputs.tf
@@ -249,3 +249,17 @@ output "region" {
 }
 
 
+
+################################################################################
+# Ravion domain control plane outputs
+################################################################################
+
+output "ravion_domain_fqdns" {
+  description = "Map of `<group>/<slug>` → FQDN for every cert-group allocation."
+  value       = module.ravion_cert_groups.domain_fqdns
+}
+
+output "ravion_domain_allocation_ids" {
+  description = "Map of `<group>/<slug>` → DomainAllocation id."
+  value       = module.ravion_cert_groups.domain_allocation_ids
+}
diff --git a/compute/ecs_service/ravion_domains.tf b/compute/ecs_service/ravion_domains.tf
new file mode 100644
index 0000000..dcd9d64
--- /dev/null
+++ b/compute/ecs_service/ravion_domains.tf
@@ -0,0 +1,23 @@
+################################################################################
+# Service-side instantiation of the shared cert-groups module.
+#
+# All allocation / cert / DNS-record / listener-rule resources live in
+# `modules/_shared/ravion_cert_groups`. This file just wires up the
+# routing target (cluster's ALB DNS + zone + HTTPS listener + this
+# service's target group) and forwards the operator's
+# `var.ravion_certificate_groups`.
+################################################################################
+
+module "ravion_cert_groups" {
+  source = "../../_shared/ravion_cert_groups"
+
+  name                     = var.name
+  cert_groups              = var.ravion_certificate_groups
+  cluster_groups           = var.ravion_parent_certificate_groups
+  module_instance_given_id = var.module_instance_given_id
+  routing_target_dns_name  = var.ravion_cluster_alb_dns_name
+  routing_target_zone_id   = var.ravion_cluster_alb_zone_id
+  listener_arn             = var.ravion_cluster_https_listener_arn
+  target_group_arn         = try(aws_lb_target_group.this[0].arn, null)
+  tags                     = var.tags
+}
diff --git a/compute/ecs_service/variables.tf b/compute/ecs_service/variables.tf
index 13f70cd..3008db1 100644
--- a/compute/ecs_service/variables.tf
+++ b/compute/ecs_service/variables.tf
@@ -201,7 +201,7 @@ variable "execution_role_arn" {
   default     = null
 
   validation {
-    condition     = var.execution_role_arn == null || can(regex("^arn:aws:iam::", var.execution_role_arn))
+    condition = var.execution_role_arn == null || can(regex("^arn:aws:iam::", var.execution_role_arn))
     error_message = "The execution_role_arn must be a valid IAM role ARN."
   }
 }
@@ -212,7 +212,7 @@ variable "task_role_arn" {
   default     = null
 
   validation {
-    condition     = var.task_role_arn == null || can(regex("^arn:aws:iam::", var.task_role_arn))
+    condition = var.task_role_arn == null || can(regex("^arn:aws:iam::", var.task_role_arn))
     error_message = "The task_role_arn must be a valid IAM role ARN."
   }
 }
@@ -376,7 +376,7 @@ variable "load_balancer_security_group_id" {
   default     = null
 
   validation {
-    condition     = var.load_balancer_security_group_id == null || can(regex("^sg-", var.load_balancer_security_group_id))
+    condition = var.load_balancer_security_group_id == null || can(regex("^sg-", var.load_balancer_security_group_id))
     error_message = "The load_balancer_security_group_id must be a valid security group ID starting with 'sg-'."
   }
 }
@@ -458,19 +458,19 @@ variable "load_balancer_attachment" {
   default     = null
 
   validation {
-    condition = var.load_balancer_attachment == null || contains(
+    condition = try(contains(
       ["HTTP", "HTTPS", "TCP", "UDP", "TLS", "TCP_UDP", "GENEVE"],
       var.load_balancer_attachment.target_group.protocol
-    )
+    ), true)
     error_message = "The protocol must be one of: HTTP, HTTPS (for ALB), or TCP, UDP, TLS, TCP_UDP, GENEVE (for NLB/GWLB)."
   }
 
   validation {
-    condition = var.load_balancer_attachment == null || var.load_balancer_attachment.target_group.stickiness == null || (
+    condition = try(var.load_balancer_attachment.target_group.stickiness == null || (
       contains(["HTTP", "HTTPS"], var.load_balancer_attachment.target_group.protocol)
       ? contains(["lb_cookie", "app_cookie"], var.load_balancer_attachment.target_group.stickiness.type)
       : var.load_balancer_attachment.target_group.stickiness.type == "source_ip"
-    )
+    ), true)
     error_message = "Stickiness type must be 'lb_cookie' or 'app_cookie' for ALB (HTTP/HTTPS), or 'source_ip' for NLB (TCP/UDP/TLS)."
   }
 }
@@ -599,3 +599,130 @@ variable "region" {
   description = "AWS region. When null, the provider's configured region is used."
   default     = null
 }
+
+################################################################################
+# Ravion domain control plane
+#
+# V2: pass the parent cluster's outputs in via ravion_dns_provider_id
+# (`module.ecs_cluster.ravion_dns_provider_id`) and the existing
+# ravion_parent_domain_allocation_id, ravion_cluster_alb_*, and
+# ravion_cluster_https_listener_arn knobs. The data source in data.tf
+# resolves the provider's discriminated config so the routing-record
+# write path (Route53 vs Cloudflare vs metadata-only) picks the right
+# variant.
+################################################################################
+
+variable "ravion_parent_certificate_groups" {
+  type = map(object({
+    parent_allocation_id = string
+    managed_domain_id    = string
+    wildcard_fqdn        = string
+    cert_arn             = string
+    dns_provider_id      = string
+    # `PLATFORM` | `CUSTOMER` — mirror of the parent cert's ownership
+    # so service-level `inherit` cert groups can stamp the same value
+    # on their placeholder ManagedCertificate row.
+    ownership = string
+  }))
+  description = "Cluster's `ravion_certificate_groups` output. Auto-wired from `module.ecs_cluster.ravion_certificate_groups`. Service `inherit` cert groups look up their parent here by `parent_group_name`."
+  default     = {}
+}
+
+variable "module_instance_given_id" {
+  type        = string
+  description = "The service module-instance's given_id. Used by `inherit` cert groups with empty `domains` as the slug for the auto-allocated URL. Injected by the Ravion runner."
+  default     = null
+}
+
+variable "ravion_cluster_alb_dns_name" {
+  type        = string
+  description = "Cluster ALB DNS name, from `module.ecs_cluster.public_alb_dns_name`. Used as the routing target for customer cert-group records."
+  default     = null
+}
+
+variable "ravion_cluster_alb_zone_id" {
+  type        = string
+  description = "Cluster ALB hosted-zone id, from `module.ecs_cluster.public_alb_zone_id`. Used by Route53 ALIAS routing records on customer cert groups."
+  default     = null
+}
+
+variable "ravion_cluster_https_listener_arn" {
+  type        = string
+  description = "Cluster HTTPS listener ARN, from `module.ecs_cluster.public_alb_https_listener_arn`. Required for all cert-group kinds so host-header rules + customer-group SNI cert attachments can be created."
+  default     = null
+}
+
+variable "ravion_certificate_groups" {
+  type = list(object({
+    # Stable per-service identifier used in TF state keys + AWS tags.
+    name = string
+
+    # Source kind:
+    #   inherit — Inherit a cluster wildcard cert. Pick the
+    #     cluster group via `parent_group_name`. `domains` = optional
+    #     list of DNS-safe leaf labels.
+    #   customer — Operator's own DnsProvider (`dns_provider_id`) +
+    #     full FQDNs in `domains`. Issues own ACM cert.
+    #   external — External DNS the operator manages by hand. We
+    #     issue the cert + surface the validation + routing records
+    #     via the Domains page. Apply fails fast (5m) when records
+    #     aren't live; user adds records, re-runs apply.
+    kind = string
+
+    # Required when kind == "inherit". Name of the cluster's
+    # cert group to inherit from. Must exist as a key in
+    # var.ravion_parent_certificate_groups.
+    parent_group_name = optional(string)
+
+    # Required when kind == "customer". Either id or given_id wins.
+    dns_provider_id       = optional(string)
+    dns_provider_given_id = optional(string)
+
+    # Domain entries. Semantics depend on kind (see above).
+    domains = list(string)
+  }))
+  description = "Per-service certificate groups. Two kinds: `inherit` (inherit a chosen cluster wildcard cert) or `customer` (own DNS provider + own ACM cert, up to 10 FQDNs)."
+  default     = []
+
+  validation {
+    condition     = alltrue([for g in var.ravion_certificate_groups : contains(["inherit", "customer", "external"], g.kind)])
+    error_message = "Each group's `kind` must be one of: inherit, customer, external."
+  }
+  validation {
+    condition     = alltrue([for g in var.ravion_certificate_groups : g.kind != "external" || length(g.domains) >= 1])
+    error_message = "external cert groups must contain at least 1 domain (full FQDN)."
+  }
+  validation {
+    condition     = alltrue([for g in var.ravion_certificate_groups : g.kind != "external" || length(g.domains) <= 10])
+    error_message = "external cert groups can contain at most 10 domains (ACM default SAN limit)."
+  }
+  validation {
+    condition     = length(distinct([for g in var.ravion_certificate_groups : g.name])) == length(var.ravion_certificate_groups)
+    error_message = "Certificate group names must be unique within a service."
+  }
+  validation {
+    condition     = alltrue([for g in var.ravion_certificate_groups : g.kind != "inherit" || (g.parent_group_name != null && g.parent_group_name != "")])
+    error_message = "inherit groups must set parent_group_name."
+  }
+  validation {
+    condition     = alltrue([for g in var.ravion_certificate_groups : g.kind != "customer" || length(g.domains) <= 10])
+    error_message = "Customer cert groups can contain at most 10 domains (ACM default SAN limit)."
+  }
+  validation {
+    condition     = alltrue([for g in var.ravion_certificate_groups : g.kind != "customer" || length(g.domains) >= 1])
+    error_message = "Customer cert groups must contain at least 1 domain."
+  }
+  validation {
+    condition     = alltrue([for g in var.ravion_certificate_groups : g.kind != "customer" || g.dns_provider_id != null || g.dns_provider_given_id != null])
+    error_message = "Customer cert groups must set dns_provider_id (or dns_provider_given_id)."
+  }
+  validation {
+    condition = alltrue([
+      for g in var.ravion_certificate_groups :
+      g.kind != "inherit" || alltrue([
+        for d in g.domains : can(regex("^[a-z0-9]([a-z0-9-]*[a-z0-9])?$", d)) && length(d) <= 63
+      ])
+    ])
+    error_message = "inherit group `domains` entries must be DNS-safe leaf labels matching ^[a-z0-9]([a-z0-9-]*[a-z0-9])?$ (<=63 chars)."
+  }
+}
diff --git a/compute/ecs_service/versions.tf b/compute/ecs_service/versions.tf
index bec739b..97a0104 100644
--- a/compute/ecs_service/versions.tf
+++ b/compute/ecs_service/versions.tf
@@ -12,7 +12,9 @@ terraform {
       source  = "hashicorp/aws"
       version = ">= 6.0"
     }
+    ravion = {
+      source  = "ravion.com/ravion/domains"
+      version = ">= 2.0.0"
+    }
   }
 }
-
-
diff --git a/hosting/static_site/cloudfront.tf b/hosting/static_site/cloudfront.tf
index dd22a5f..657dcda 100644
--- a/hosting/static_site/cloudfront.tf
+++ b/hosting/static_site/cloudfront.tf
@@ -19,12 +19,12 @@ module "cdn" {
 
   name = var.name
 
-  distributions = var.distributions
+  distributions = local.effective_distributions
 
   origins = [
     {
       origin_id      = local.origin_id
-      domain_name    = module.hosting.bucket_regional_domain_name
+      domain_name    = local.hosting_bucket_regional_domain_name
       s3_origin      = true
       custom_headers = var.additional_origin_headers
       origin_shield = var.origin_shield_region == null ? null : {
diff --git a/hosting/static_site/locals.tf b/hosting/static_site/locals.tf
index c81f452..8f98393 100644
--- a/hosting/static_site/locals.tf
+++ b/hosting/static_site/locals.tf
@@ -94,11 +94,48 @@ locals {
     local.html_cache_behaviors,
   )
 
-  cff_name           = substr(replace("${var.name}-rewrite", "/[^a-zA-Z0-9-_]/", "-"), 0, 64)
-  kvs_name           = substr(replace("${var.name}-kvs", "/[^a-zA-Z0-9-]/", "-"), 0, 64)
-  deploy_role_name   = var.deploy_role_name != null ? var.deploy_role_name : "${var.name}-deploy"
-  oac_policy_sid     = "AllowCloudFrontServicePrincipal"
-  partition          = data.aws_partition.current.partition
-  account_id         = data.aws_caller_identity.current.account_id
-  hosting_bucket_arn = "arn:${local.partition}:s3:::${var.name}"
+  cff_name         = substr(replace("${var.name}-rewrite", "/[^a-zA-Z0-9-_]/", "-"), 0, 64)
+  kvs_name         = substr(replace("${var.name}-kvs", "/[^a-zA-Z0-9-]/", "-"), 0, 64)
+  deploy_role_name = var.deploy_role_name != null ? var.deploy_role_name : "${var.name}-deploy"
+  oac_policy_sid   = "AllowCloudFrontServicePrincipal"
+  partition        = data.aws_partition.current.partition
+  account_id       = data.aws_caller_identity.current.account_id
+
+  # Bucket-source dispatch. When the four `existing_bucket_*` inputs are
+  # set, skip the in-module storage/s3 instantiation and use the
+  # caller-supplied bucket directly. The OAC bucket-policy resource still
+  # binds to whichever bucket is in use.
+  #
+  # The non-existing branch derives id/arn/regional_domain_name from
+  # `var.name` + `local.region` (string-deterministic) instead of reading
+  # them from `module.hosting[*]` outputs. This avoids the cycle:
+  #   module.hosting -> data.policy_document -> local.hosting_bucket_arn
+  #                       -> module.hosting (would re-enter)
+  # All three values are well-known for S3 buckets: id == name,
+  # arn == arn:<partition>:s3:::<name>,
+  # regional_domain_name == <name>.s3.<region>.amazonaws.com.
+  use_existing_bucket                 = var.existing_bucket_id != null
+  hosting_bucket_id                   = local.use_existing_bucket ? var.existing_bucket_id : var.name
+  hosting_bucket_arn                  = local.use_existing_bucket ? var.existing_bucket_arn : "arn:${local.partition}:s3:::${var.name}"
+  hosting_bucket_region               = local.use_existing_bucket ? var.existing_bucket_region : local.region
+  hosting_bucket_regional_domain_name = local.use_existing_bucket ? var.existing_bucket_regional_domain_name : "${var.name}.s3.${local.region}.amazonaws.com"
+
+  # Ravion-domain auto-allocation gating. When enabled the module
+  # allocates one FQDN, issues an ACM cert (us-east-1), and attaches both
+  # as the alias of `var.distributions[ravion_attach_distribution_key]`.
+  use_ravion_domain      = var.ravion_dns_provider_id != null
+  ravion_slug            = coalesce(var.ravion_domain_slug, var.name)
+  ravion_cert_group_name = coalesce(var.ravion_cert_group_name, var.name)
+  ravion_attach_key      = var.ravion_attach_distribution_key
+
+  # When Ravion-domain auto-allocation is on, merge alias + cert_arn into
+  # the selected distribution. Callers can still pass extra aliases on
+  # other distribution keys; the auto-allocated one is appended.
+  effective_distributions = local.use_ravion_domain ? {
+    for k, d in var.distributions :
+    k => k == local.ravion_attach_key ? merge(d, {
+      aliases             = distinct(concat(coalesce(d.aliases, []), one(ravion_domain.this[*].fqdn) != null ? [one(ravion_domain.this[*].fqdn)] : []))
+      acm_certificate_arn = one(aws_acm_certificate_validation.ravion[*].certificate_arn)
+    }) : d
+  } : var.distributions
 }
diff --git a/hosting/static_site/outputs.tf b/hosting/static_site/outputs.tf
index 301154c..1e605cd 100644
--- a/hosting/static_site/outputs.tf
+++ b/hosting/static_site/outputs.tf
@@ -3,23 +3,23 @@
 ################################################################################
 
 output "hosting_bucket_id" {
-  description = "Name of the S3 hosting bucket."
-  value       = module.hosting.bucket_id
+  description = "Name of the S3 hosting bucket. Sourced from the in-module bucket or the caller-supplied `existing_bucket_id` override."
+  value       = local.hosting_bucket_id
 }
 
 output "hosting_bucket_arn" {
   description = "ARN of the S3 hosting bucket."
-  value       = module.hosting.bucket_arn
+  value       = local.hosting_bucket_arn
 }
 
 output "hosting_bucket_regional_domain_name" {
   description = "Regional domain name of the S3 hosting bucket (used as CloudFront origin)."
-  value       = module.hosting.bucket_regional_domain_name
+  value       = local.hosting_bucket_regional_domain_name
 }
 
 output "hosting_bucket_region" {
   description = "AWS region where the hosting bucket lives."
-  value       = module.hosting.bucket_region
+  value       = local.hosting_bucket_region
 }
 
 ################################################################################
diff --git a/hosting/static_site/ravion_domain.tf b/hosting/static_site/ravion_domain.tf
new file mode 100644
index 0000000..3d8a8ea
--- /dev/null
+++ b/hosting/static_site/ravion_domain.tf
@@ -0,0 +1,107 @@
+################################################################################
+# Ravion-domain auto-allocation
+#
+# Opt-in via `var.ravion_dns_provider_id`. When set, this file:
+#   1. Allocates one FQDN under the chosen DnsProvider (typically the
+#      platform apex for "auto-generate on platform apex" callers).
+#   2. Requests an ACM cert in us-east-1 for that FQDN
+#      (CloudFront viewer certs MUST be us-east-1).
+#   3. Publishes the ACM DNS-01 validation records via `ravion_dns_records`.
+#   4. Blocks on `aws_acm_certificate_validation` so the cert ARN we
+#      hand to CloudFront is guaranteed ISSUED.
+#   5. Publishes the routing record (ALIAS → CloudFront) via
+#      `ravion_dns_records`.
+#   6. Registers the cert in the Ravion domain control plane via
+#      `ravion_managed_certificate` so the Domains tab shows the cert
+#      against the allocation.
+#
+# The CloudFront alias + cert attachment happens in `locals.tf` via
+# `effective_distributions`, which merges these computed values into
+# `var.distributions[var.ravion_attach_distribution_key]`.
+#
+# When `var.ravion_dns_provider_id` is null, every resource here has
+# count = 0 and the module reverts to today's behavior (caller-supplied
+# aliases/cert ARN on the distributions input).
+################################################################################
+
+resource "ravion_domain" "this" {
+  count = local.use_ravion_domain ? 1 : 0
+
+  dns_provider_id = var.ravion_dns_provider_id
+  slug            = local.ravion_slug
+}
+
+resource "aws_acm_certificate" "ravion" {
+  count = local.use_ravion_domain ? 1 : 0
+
+  provider = aws.us_east_1
+
+  domain_name       = ravion_domain.this[0].fqdn
+  validation_method = "DNS"
+
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  tags = local.tags
+}
+
+resource "ravion_dns_records" "ravion_validation" {
+  count = local.use_ravion_domain ? 1 : 0
+
+  managed_domain_id = ravion_domain.this[0].id
+  purpose           = "acm_validation"
+
+  records = [
+    for o in aws_acm_certificate.ravion[0].domain_validation_options : {
+      name  = trimsuffix(o.resource_record_name, ".")
+      type  = o.resource_record_type
+      value = trimsuffix(o.resource_record_value, ".")
+      ttl   = 60
+    }
+  ]
+}
+
+resource "aws_acm_certificate_validation" "ravion" {
+  count = local.use_ravion_domain ? 1 : 0
+
+  provider = aws.us_east_1
+
+  certificate_arn         = aws_acm_certificate.ravion[0].arn
+  validation_record_fqdns = ravion_dns_records.ravion_validation[0].fqdns
+}
+
+# Routing record: ALIAS the allocated FQDN at the CloudFront
+# distribution this module just attached the cert to. The distribution
+# domain + hosted-zone id come from `module.cdn` outputs.
+resource "ravion_dns_records" "ravion_routing" {
+  count = local.use_ravion_domain ? 1 : 0
+
+  managed_domain_id = ravion_domain.this[0].id
+  purpose           = "routing"
+
+  records = [{
+    name = ravion_domain.this[0].fqdn
+    type = "ALIAS"
+    value = jsonencode({
+      dns_name = module.cdn.distribution_domain_names[local.ravion_attach_key]
+      zone_id  = module.cdn.distribution_hosted_zone_ids[local.ravion_attach_key]
+    })
+  }]
+}
+
+resource "ravion_managed_certificate" "ravion" {
+  count = local.use_ravion_domain ? 1 : 0
+
+  cert_arn  = aws_acm_certificate_validation.ravion[0].certificate_arn
+  status    = "ISSUED"
+  pattern   = "EXACT"
+  ownership = "PLATFORM"
+
+  managed_domain_ids = [ravion_domain.this[0].managed_domain_id]
+  name               = local.ravion_cert_group_name
+  kind               = "ravion_auto"
+
+  issued_at  = aws_acm_certificate.ravion[0].not_before
+  expires_at = aws_acm_certificate.ravion[0].not_after
+}
diff --git a/hosting/static_site/s3_hosting.tf b/hosting/static_site/s3_hosting.tf
index 4a0c3ac..9933755 100644
--- a/hosting/static_site/s3_hosting.tf
+++ b/hosting/static_site/s3_hosting.tf
@@ -13,6 +13,7 @@
 
 module "hosting" {
   source = "../../storage/s3"
+  count  = local.use_existing_bucket ? 0 : 1
 
   name               = var.name
   region             = var.region
@@ -26,3 +27,16 @@ module "hosting" {
 
   tags = local.tags
 }
+
+# When using a caller-supplied bucket (`existing_bucket_*` set), the
+# bucket lives in another stack and that stack doesn't know our
+# distribution ARNs. We still need the OAC grant for CloudFront, so
+# attach the same policy here directly. The owning stack must NOT manage
+# `aws_s3_bucket_policy` on this bucket — only one policy may exist per
+# bucket at a time.
+resource "aws_s3_bucket_policy" "existing" {
+  count = local.use_existing_bucket ? 1 : 0
+
+  bucket = var.existing_bucket_id
+  policy = data.aws_iam_policy_document.hosting_bucket_policy.json
+}
diff --git a/hosting/static_site/variables.tf b/hosting/static_site/variables.tf
index 9c3c4d1..96d50fd 100644
--- a/hosting/static_site/variables.tf
+++ b/hosting/static_site/variables.tf
@@ -4,7 +4,7 @@
 
 variable "name" {
   type        = string
-  description = "Name prefix for all resources created by this module. Also used as the hosting bucket name (must be globally unique and a valid S3 bucket name)."
+  description = "Name prefix for all resources created by this module. Also used as the hosting bucket name (must be globally unique and a valid S3 bucket name) UNLESS the existing-bucket override is in use."
 
   validation {
     condition     = length(var.name) >= 3 && length(var.name) <= 63
@@ -17,6 +17,79 @@ variable "name" {
   }
 }
 
+################################################################################
+# Composed bucket override
+#
+# When all four `existing_bucket_*` inputs are set, static_site SKIPS its
+# internal `storage/s3` module and uses the supplied bucket as the
+# CloudFront origin. The module STILL manages an `aws_s3_bucket_policy`
+# on the foreign bucket so the OAC grant for these distributions lands —
+# supply a bucket whose owning stack does NOT attach its own policy.
+#
+# Leave all four null (default) to provision the bucket in-module.
+################################################################################
+
+variable "existing_bucket_id" {
+  type        = string
+  description = "Override: use this S3 bucket as the CloudFront origin instead of letting static_site create one. Pair with the other `existing_bucket_*` inputs."
+  default     = null
+}
+
+variable "existing_bucket_arn" {
+  type        = string
+  description = "ARN of the existing bucket. Required when `existing_bucket_id` is set."
+  default     = null
+}
+
+variable "existing_bucket_region" {
+  type        = string
+  description = "Region of the existing bucket. Required when `existing_bucket_id` is set."
+  default     = null
+}
+
+variable "existing_bucket_regional_domain_name" {
+  type        = string
+  description = "Regional domain name of the existing bucket (e.g. `my-bucket.s3.us-east-1.amazonaws.com`). Required when `existing_bucket_id` is set."
+  default     = null
+}
+
+################################################################################
+# Ravion-domain auto-allocation
+#
+# When `ravion_dns_provider_id` is set, the module allocates an FQDN
+# under that provider, issues an ACM cert in us-east-1, publishes
+# validation + routing records via Ravion, registers the cert in the
+# Ravion domain control plane, and attaches the cert as the SNI alias
+# on `distributions[var.ravion_attach_distribution_key]`.
+#
+# Leave `ravion_dns_provider_id` null to skip — distributions take
+# their `aliases`/`acm_certificate_arn` from `var.distributions` only.
+################################################################################
+
+variable "ravion_dns_provider_id" {
+  type        = string
+  description = "DnsProvider id to allocate the FQDN under. Set this to enable Ravion-domain auto-allocation + ACM cert + CloudFront alias attachment."
+  default     = null
+}
+
+variable "ravion_domain_slug" {
+  type        = string
+  description = "Slug for the auto-allocated FQDN. Defaults to `var.name` when null."
+  default     = null
+}
+
+variable "ravion_attach_distribution_key" {
+  type        = string
+  description = "Distribution key (into `var.distributions`) to attach the auto-issued cert + alias to. Defaults to `main`."
+  default     = "main"
+}
+
+variable "ravion_cert_group_name" {
+  type        = string
+  description = "Optional cert-group name surfaced on the Ravion Domains tab. Defaults to `var.name`."
+  default     = null
+}
+
 variable "tags" {
   type        = map(string)
   description = "A map of tags to assign to all resources."
diff --git a/hosting/static_site/versions.tf b/hosting/static_site/versions.tf
index f2ea0cd..a3f55a5 100644
--- a/hosting/static_site/versions.tf
+++ b/hosting/static_site/versions.tf
@@ -8,5 +8,13 @@ terraform {
       source  = "hashicorp/aws"
       version = ">= 6.0"
     }
+    # Optional — only used when `ravion_dns_provider_id` is set. The
+    # resources in `ravion_domain.tf` count out to zero when the input
+    # is null, so a consumer that doesn't opt in still doesn't need
+    # the provider configured. Constraint matches sibling modules.
+    ravion = {
+      source  = "ravion.com/ravion/domains"
+      version = ">= 2.0.0"
+    }
   }
 }
diff --git a/networking/alb/.terraform.lock.hcl b/networking/alb/.terraform.lock.hcl
deleted file mode 100644
index 060d950..0000000
--- a/networking/alb/.terraform.lock.hcl
+++ /dev/null
@@ -1,19 +0,0 @@
-# This file is maintained automatically by "tofu init".
-# Manual edits may be lost in future updates.
-
-provider "registry.opentofu.org/hashicorp/aws" {
-  version     = "6.27.0"
-  constraints = ">= 5.0.0"
-  hashes = [
-    "h1:Z773nibI8M0BhAy/lJ39VtdRFNcT34W+KxTXPf3n0Ho=",
-    "zh:102963b1c55b839aeb58788fb823749db02ab96674cf25de720b00473a6c839c",
-    "zh:46be161beffbb9ea2c9c135dafca0dd634358a9bafc90748cecddf619460c2b6",
-    "zh:4ee96a9dc860f6b391f2bac07b522c5386ffe75395955686dd56f356e4dd2f36",
-    "zh:855ece6738c05d910fbc592b73d8cba4cfd7849c6d6782a1ebd4ce4f7c4c7ee0",
-    "zh:946c65be16e7ee291db1882dc78cc4d4bb577798bcf3d6ba27f464070aead2fb",
-    "zh:aa4e233f55d0165e9b0465a3f95db8c890e64368c8a58097bca2bf7746b9c5b8",
-    "zh:b8cb4bbaf69501cdf02b7c296efa2650f5866aa4125912d85f81efd46b042eaf",
-    "zh:b9351a0b157850ec179a3f83d2ca462a05e697a632a4cde1e464b1fe7d6bd63d",
-    "zh:e31792468b166906c1f344c0a039e7df10c2d2bd836ec6348fc1879e926075d9",
-  ]
-}
diff --git a/networking/alb/variables.tf b/networking/alb/variables.tf
index f3118fd..7883640 100644
--- a/networking/alb/variables.tf
+++ b/networking/alb/variables.tf
@@ -259,7 +259,7 @@ variable "access_logs_bucket_arn" {
   default     = null
 
   validation {
-    condition     = var.access_logs_bucket_arn == null || can(regex("^arn:aws:s3:::", var.access_logs_bucket_arn))
+    condition = var.access_logs_bucket_arn == null || can(regex("^arn:aws:s3:::", var.access_logs_bucket_arn))
     error_message = "The access_logs_bucket_arn must be a valid S3 bucket ARN."
   }
 }
@@ -287,7 +287,7 @@ variable "access_logs_kms_key_id" {
   default     = null
 
   validation {
-    condition     = var.access_logs_kms_key_id == null || can(regex("^(arn:aws:kms:|alias/)", var.access_logs_kms_key_id))
+    condition = var.access_logs_kms_key_id == null || can(regex("^(arn:aws:kms:|alias/)", var.access_logs_kms_key_id))
     error_message = "The access_logs_kms_key_id must be a valid KMS key ARN or alias."
   }
 }
@@ -314,7 +314,7 @@ variable "web_acl_arn" {
   default     = null
 
   validation {
-    condition     = var.web_acl_arn == null || can(regex("^arn:aws:wafv2:", var.web_acl_arn))
+    condition = var.web_acl_arn == null || can(regex("^arn:aws:wafv2:", var.web_acl_arn))
     error_message = "The web_acl_arn must be a valid WAFv2 Web ACL ARN."
   }
 }
diff --git a/networking/nlb/.terraform.lock.hcl b/networking/nlb/.terraform.lock.hcl
deleted file mode 100644
index 060d950..0000000
--- a/networking/nlb/.terraform.lock.hcl
+++ /dev/null
@@ -1,19 +0,0 @@
-# This file is maintained automatically by "tofu init".
-# Manual edits may be lost in future updates.
-
-provider "registry.opentofu.org/hashicorp/aws" {
-  version     = "6.27.0"
-  constraints = ">= 5.0.0"
-  hashes = [
-    "h1:Z773nibI8M0BhAy/lJ39VtdRFNcT34W+KxTXPf3n0Ho=",
-    "zh:102963b1c55b839aeb58788fb823749db02ab96674cf25de720b00473a6c839c",
-    "zh:46be161beffbb9ea2c9c135dafca0dd634358a9bafc90748cecddf619460c2b6",
-    "zh:4ee96a9dc860f6b391f2bac07b522c5386ffe75395955686dd56f356e4dd2f36",
-    "zh:855ece6738c05d910fbc592b73d8cba4cfd7849c6d6782a1ebd4ce4f7c4c7ee0",
-    "zh:946c65be16e7ee291db1882dc78cc4d4bb577798bcf3d6ba27f464070aead2fb",
-    "zh:aa4e233f55d0165e9b0465a3f95db8c890e64368c8a58097bca2bf7746b9c5b8",
-    "zh:b8cb4bbaf69501cdf02b7c296efa2650f5866aa4125912d85f81efd46b042eaf",
-    "zh:b9351a0b157850ec179a3f83d2ca462a05e697a632a4cde1e464b1fe7d6bd63d",
-    "zh:e31792468b166906c1f344c0a039e7df10c2d2bd836ec6348fc1879e926075d9",
-  ]
-}
diff --git a/networking/nlb/variables.tf b/networking/nlb/variables.tf
index a0f02b7..307286d 100644
--- a/networking/nlb/variables.tf
+++ b/networking/nlb/variables.tf
@@ -130,7 +130,7 @@ variable "dns_record_client_routing_policy" {
   default     = null
 
   validation {
-    condition     = var.dns_record_client_routing_policy == null || contains(["any_availability_zone", "availability_zone_affinity", "partial_availability_zone_affinity"], var.dns_record_client_routing_policy)
+    condition = var.dns_record_client_routing_policy == null || contains(["any_availability_zone", "availability_zone_affinity", "partial_availability_zone_affinity"], var.dns_record_client_routing_policy)
     error_message = "The dns_record_client_routing_policy must be 'any_availability_zone', 'availability_zone_affinity', or 'partial_availability_zone_affinity'."
   }
 }
@@ -141,7 +141,7 @@ variable "enforce_security_group_inbound_rules_on_private_link_traffic" {
   default     = null
 
   validation {
-    condition     = var.enforce_security_group_inbound_rules_on_private_link_traffic == null || contains(["on", "off"], var.enforce_security_group_inbound_rules_on_private_link_traffic)
+    condition = var.enforce_security_group_inbound_rules_on_private_link_traffic == null || contains(["on", "off"], var.enforce_security_group_inbound_rules_on_private_link_traffic)
     error_message = "The enforce_security_group_inbound_rules_on_private_link_traffic must be 'on' or 'off'."
   }
 }
@@ -183,7 +183,7 @@ variable "access_logs_bucket_arn" {
   default     = null
 
   validation {
-    condition     = var.access_logs_bucket_arn == null || can(regex("^arn:aws:s3:::", var.access_logs_bucket_arn))
+    condition = var.access_logs_bucket_arn == null || can(regex("^arn:aws:s3:::", var.access_logs_bucket_arn))
     error_message = "The access_logs_bucket_arn must be a valid S3 bucket ARN."
   }
 }
@@ -211,7 +211,7 @@ variable "access_logs_kms_key_id" {
   default     = null
 
   validation {
-    condition     = var.access_logs_kms_key_id == null || can(regex("^(arn:aws:kms:|alias/)", var.access_logs_kms_key_id))
+    condition = var.access_logs_kms_key_id == null || can(regex("^(arn:aws:kms:|alias/)", var.access_logs_kms_key_id))
     error_message = "The access_logs_kms_key_id must be a valid KMS key ARN or alias."
   }
 }
diff --git a/networking/security-groups/.terraform.lock.hcl b/networking/security-groups/.terraform.lock.hcl
deleted file mode 100644
index 5d64317..0000000
--- a/networking/security-groups/.terraform.lock.hcl
+++ /dev/null
@@ -1,19 +0,0 @@
-# This file is maintained automatically by "tofu init".
-# Manual edits may be lost in future updates.
-
-provider "registry.opentofu.org/hashicorp/aws" {
-  version     = "6.28.0"
-  constraints = ">= 5.0.0"
-  hashes = [
-    "h1:wek8vEEZpTPulbLi9xCf2wnxvc97JXAN4qcOhduSg7k=",
-    "zh:38d58305206953783c150fb96d5c4f3ea5fe0b9e0987d927c884a6b0f2adf7a9",
-    "zh:43fd483251165f98b7a44360b41b437d309b007ef2bfff818eedcf3730e3f5cb",
-    "zh:4753decc5a718cb74b08244a02d00c150f0ddd6ebf2e1227f6a985c647c03ce9",
-    "zh:5956525650554bd3fbc4b695eb5250193f0ebf94c45862a7730457ab6a315069",
-    "zh:76d98fa1146750c01f607bae4421952ee9cd14ed3a4a59deb7136749adb9e0ae",
-    "zh:792c29e5ec91356baddb6219ac7f6f1df09c251cbe4ab6e089fc25d64270b22a",
-    "zh:856424380caa7c1536dc00515d12beac2693db1a8425da654eed5530abeb17d9",
-    "zh:e8982ec2bc692efa7236e3565e7094a09f52c5b71d8860a570a36fb31a40f27f",
-    "zh:f5e7ff825dc3f7356fb80936bfe7bb1b54a728ccf429cb753cfe590932f0403b",
-  ]
-}