diff --git a/.github/scripts/pre-commit.sh b/.github/scripts/pre-commit.sh
index d9a1358aa3..71140331a1 100755
--- a/.github/scripts/pre-commit.sh
+++ b/.github/scripts/pre-commit.sh
@@ -60,9 +60,9 @@ runShellCheckForCommitFiles() {
       filename=$(basename -- "$file")
       extension="${filename##*.}"
 
-      # Skip binary formats
+      # Skip binary formats and groovy files
       case "$extension" in
-        "zip" | "p12" | "pfx" | "cer" | "pem" | "png" | "jpg")
+        "zip" | "p12" | "pfx" | "cer" | "pem" | "png" | "jpg" | "groovy")
           continue ;;
         *) ;;
       esac
diff --git a/apps/utils/locust_tests/lambda/server-regression/app.py b/apps/utils/locust_tests/lambda/server-regression/app.py
index 4dd95902fa..8af274e8d0 100644
--- a/apps/utils/locust_tests/lambda/server-regression/app.py
+++ b/apps/utils/locust_tests/lambda/server-regression/app.py
@@ -153,6 +153,9 @@ def handler(event, context):
         cert = get_ssm_parameter(
             f"/bfd/{environment}/server/sensitive/server_regression_cert", with_decrypt=True
         )
+        green_port = get_ssm_parameter(
+            f"/bfd/{environment}/server/nonsensitive/lb_green_ingress_port"
+        )
     except ValueError as exc:
         send_pipeline_signal(
             signal_queue_url=signal_queue_url,
@@ -191,7 +194,7 @@ def handler(event, context):
             [
                 "locust",
                 f"--locustfile=/var/task/{invoke_event.suite_version}/{locust_file}",
-                f"--host={invoke_event.host}",
+                f"--host={invoke_event.host}:{green_port}",
                 f"--users={invoke_event.users}",
                 f"--spawn-rate={invoke_event.spawn_rate}",
                 f"--spawned-runtime={invoke_event.spawned_runtime}",
diff --git a/ops/jenkins/global-pipeline-libraries/vars/awsElb.groovy b/ops/jenkins/global-pipeline-libraries/vars/awsElb.groovy
index 99ff8f9d18..d6b0cec487 100644
--- a/ops/jenkins/global-pipeline-libraries/vars/awsElb.groovy
+++ b/ops/jenkins/global-pipeline-libraries/vars/awsElb.groovy
@@ -2,7 +2,8 @@
 // awsElb.groovy contains methods that wrap awscli elb subcommands
 
 // Returns the Elastic Load Balancer's DNSName for the given environment
+// See ops/terraform/services/server/modules/bfd_server_asg/main.tf for NLB definition and naming scheme
 String getElbDnsName(String environment) {
-    elbDnsName = sh(returnStdout: true, script: "aws elb describe-load-balancers --load-balancer-names bfd-${environment}-fhir --query 'LoadBalancerDescriptions[0].DNSName' --output text").trim()
+    elbDnsName = sh(returnStdout: true, script: "aws elbv2 describe-load-balancers --names bfd-${environment}-fhir-nlb --query 'LoadBalancer[0].DNSName' --output text").trim()
     return elbDnsName
 }
diff --git a/ops/terraform/services/base/values/ephemeral.yaml b/ops/terraform/services/base/values/ephemeral.yaml
index fdaf0f78fa..67be013c93 100644
--- a/ops/terraform/services/base/values/ephemeral.yaml
+++ b/ops/terraform/services/base/values/ephemeral.yaml
@@ -47,8 +47,8 @@
 /bfd/${env}/server/nonsensitive/pac/claim_source_types: fiss,mcs
 /bfd/${env}/server/nonsensitive/c4dic/enabled: "false"
 /bfd/${env}/server/nonsensitive/lb_is_public: false
-/bfd/${env}/server/nonsensitive/lb_ingress_port: 443
-/bfd/${env}/server/nonsensitive/lb_egress_port: 7443
+/bfd/${env}/server/nonsensitive/lb_blue_ingress_port: 443
+/bfd/${env}/server/nonsensitive/lb_green_ingress_port: 7443
 /bfd/${env}/server/nonsensitive/launch_template_volume_iops: 3000
 /bfd/${env}/server/nonsensitive/launch_template_volume_size_gb: 60
 /bfd/${env}/server/nonsensitive/launch_template_volume_throughput: 250
diff --git a/ops/terraform/services/base/values/prod-sbx.yaml b/ops/terraform/services/base/values/prod-sbx.yaml
index 1e9174f4ff..b78c163169 100644
--- a/ops/terraform/services/base/values/prod-sbx.yaml
+++ b/ops/terraform/services/base/values/prod-sbx.yaml
@@ -136,8 +136,8 @@
 /bfd/${env}/server/nonsensitive/heathcheck/testing_bene_id: "-88888888888888"
 /bfd/${env}/server/nonsensitive/paths/files/war: UNDEFINED
 /bfd/${env}/server/nonsensitive/lb_is_public: "true"
-/bfd/${env}/server/nonsensitive/lb_ingress_port: "443"
-/bfd/${env}/server/nonsensitive/lb_egress_port: "7443"
+/bfd/${env}/server/nonsensitive/lb_blue_ingress_port: "443"
+/bfd/${env}/server/nonsensitive/lb_green_ingress_port: "7443"
 /bfd/${env}/server/nonsensitive/lb_vpc_peerings_json: '[ "bfd-prod-sbx-to-ab2d-dev", "bfd-prod-sbx-to-ab2d-impl", "bfd-prod-sbx-to-ab2d-sbx", "bfd-prod-sbx-to-bcda-dev", "bfd-prod-sbx-to-bcda-test", "bfd-prod-sbx-to-bcda-sbx", "bfd-prod-sbx-to-bcda-opensbx", "bfd-prod-sbx-vpc-to-bluebutton-impl", "bfd-prod-sbx-vpc-to-bluebutton-test", "bfd-prod-sbx-vpc-to-dpc-prod-sbx-vpc", "bfd-prod-sbx-vpc-to-dpc-test-vpc", "bfd-prod-sbx-vpc-to-dpc-dev-vpc" ]'
 /bfd/${env}/server/nonsensitive/asg_min_instance_count: "3"
 /bfd/${env}/server/nonsensitive/asg_max_instance_count: "12"
diff --git a/ops/terraform/services/base/values/prod.yaml b/ops/terraform/services/base/values/prod.yaml
index 3d727a1471..7ede29e492 100644
--- a/ops/terraform/services/base/values/prod.yaml
+++ b/ops/terraform/services/base/values/prod.yaml
@@ -183,8 +183,8 @@
 /bfd/${env}/server/nonsensitive/heathcheck/testing_bene_id: "-88888888888888"
 /bfd/${env}/server/nonsensitive/paths/files/war: UNDEFINED
 /bfd/${env}/server/nonsensitive/lb_is_public: "false"
-/bfd/${env}/server/nonsensitive/lb_ingress_port: "443"
-/bfd/${env}/server/nonsensitive/lb_egress_port: "7443"
+/bfd/${env}/server/nonsensitive/lb_blue_ingress_port: "443"
+/bfd/${env}/server/nonsensitive/lb_green_ingress_port: "7443"
 /bfd/${env}/server/nonsensitive/lb_vpc_peerings_json: '[ "bfd-prod-vpc-to-dpc-prod-vpc", "bfd-prod-vpc-to-bluebutton-prod", "bfd-prod-vpc-to-bcda-prod-vpc", "bfd-prod-to-ab2d-prod" ]'
 /bfd/${env}/server/nonsensitive/asg_min_instance_count: "3"
 /bfd/${env}/server/nonsensitive/asg_max_instance_count: "12"
diff --git a/ops/terraform/services/base/values/test.yaml b/ops/terraform/services/base/values/test.yaml
index 1c66d419ec..4031a0287c 100644
--- a/ops/terraform/services/base/values/test.yaml
+++ b/ops/terraform/services/base/values/test.yaml
@@ -188,8 +188,8 @@
 /bfd/${env}/server/nonsensitive/heathcheck/testing_bene_id: "-88888888888888"
 /bfd/${env}/server/nonsensitive/paths/files/war: UNDEFINED
 /bfd/${env}/server/nonsensitive/lb_is_public: "false"
-/bfd/${env}/server/nonsensitive/lb_ingress_port: "443"
-/bfd/${env}/server/nonsensitive/lb_egress_port: "7443"
+/bfd/${env}/server/nonsensitive/lb_blue_ingress_port: "443"
+/bfd/${env}/server/nonsensitive/lb_green_ingress_port: "7443"
 /bfd/${env}/server/nonsensitive/lb_vpc_peerings_json: '[ "bfd-test-vpc-to-bluebutton-test" ]'
 /bfd/${env}/server/nonsensitive/asg_min_instance_count: "3"
 /bfd/${env}/server/nonsensitive/asg_max_instance_count: "12"
diff --git a/ops/terraform/services/server/README.md b/ops/terraform/services/server/README.md
index b1a14b4560..af41bfea12 100644
--- a/ops/terraform/services/server/README.md
+++ b/ops/terraform/services/server/README.md
@@ -15,6 +15,16 @@ terraform apply
 
 **NOTE** the above double-invocation of terraform is correct. Two executions of `terraform apply` are necessary to achieve the desired state as of BFD-2558.
 
+## Blue/Green Workflow
+
+This Terraservice implements the logic and resources necessary to support a Blue/Green Deployment strategy for the BFD Server.
+
+Blue (`blue`) refers to the "active" or _production_ infrastructure that serves traffic to our consumers. Resources in `blue` are considered to "known-good" resources. Green (`green`) refers to _incoming_, new infrastructure for a _new_ version of the BFD Server that needs to be verified as good before it being promoted to `blue` and made available to serve traffic to our consumers.
+
+This Terraservice achieves a Blue/Green Deployment strategy by utilizing two AutoScaling Groups, two Target Groups and two Load Balancer Listeners on ports `443` and `7443` that route to the aforementioned Target Groups on different ports. The Listener on port `443` (the reserved HTTPS port) is associated with the `blue` Target Group and the Listener on `7443` is associated with `green`. This way, clients using the default HTTPS port will reach the `blue` BFD Server Instances only, while our automation can reach the `green` Instances by using port `7443`.
+
+The Terraservice logic decides which AutoScaling Group is associated with the `blue`/`green` Target Group by looking at the oddness/evenness of the _latest_ Launch Template version number _iff_ the Launch Template is changing upon the `terraform apply`. Correspondingly, the ASGs are suffixed with `-odd` and `-even`. Given latest Launch Template version number, if it is _odd_ the ASG suffixed as `-odd` will be chosen as `green` whereas if it is _even_ `-even` will be chosen as `green`. In this scenario, we expect no changes to the existing `blue` ASG nor its Target Group so that it continues to serve traffic uninterrupted.
+
 <!-- BEGIN_TF_DOCS -->
 <!-- GENERATED WITH `terraform-docs .`
      Manually updating the README.md will be overwritten.
@@ -61,13 +71,13 @@ terraform apply
 | [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |
 | [aws_ec2_managed_prefix_list.jenkins](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_managed_prefix_list) | data source |
 | [aws_ec2_managed_prefix_list.vpn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ec2_managed_prefix_list) | data source |
-| [aws_s3_bucket.logs](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/s3_bucket) | data source |
 | [aws_security_group.remote](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source |
 | [aws_security_group.tools](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source |
 | [aws_security_group.vpn](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_group) | data source |
 | [aws_security_groups.aurora_cluster](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/security_groups) | data source |
 | [aws_ssm_parameters_by_path.nonsensitive_common](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameters_by_path) | data source |
 | [aws_ssm_parameters_by_path.nonsensitive_service](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameters_by_path) | data source |
+| [aws_ssm_parameters_by_path.sensitive_service](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/ssm_parameters_by_path) | data source |
 | [aws_vpc.main](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
 | [aws_vpc.mgmt](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc) | data source |
 | [aws_vpc_peering_connection.peers](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/vpc_peering_connection) | data source |
diff --git a/ops/terraform/services/server/data-sources.tf b/ops/terraform/services/server/data-sources.tf
index 6a6d229ded..c4d7a86e0c 100644
--- a/ops/terraform/services/server/data-sources.tf
+++ b/ops/terraform/services/server/data-sources.tf
@@ -47,11 +47,6 @@ data "aws_ami" "main" {
   }
 }
 
-# s3 buckets
-data "aws_s3_bucket" "logs" {
-  bucket = "bfd-${local.env}-logs-${data.aws_caller_identity.current.account_id}"
-}
-
 # aurora security group
 data "aws_security_groups" "aurora_cluster" {
   filter {
@@ -114,3 +109,8 @@ data "aws_ssm_parameters_by_path" "nonsensitive_common" {
 data "aws_ssm_parameters_by_path" "nonsensitive_service" {
   path = "/bfd/${local.env}/${local.service}/nonsensitive"
 }
+
+data "aws_ssm_parameters_by_path" "sensitive_service" {
+  path            = "/bfd/${local.env}/${local.service}/sensitive"
+  with_decryption = true
+}
diff --git a/ops/terraform/services/server/main.tf b/ops/terraform/services/server/main.tf
index 10ba4abb58..d85e8755b0 100644
--- a/ops/terraform/services/server/main.tf
+++ b/ops/terraform/services/server/main.tf
@@ -34,6 +34,15 @@ locals {
     for key, value in local.nonsensitive_service_map
     : split("/", key)[5] => value
   }
+  sensitive_service_map = zipmap(
+    data.aws_ssm_parameters_by_path.sensitive_service.names,
+    nonsensitive(data.aws_ssm_parameters_by_path.sensitive_service.values)
+  )
+  sensitive_service_config = {
+    for key, value in local.sensitive_service_map
+    : split("/", key)[5] => value
+  }
+
 
   enterprise_tools_security_group = local.nonsensitive_common_config["enterprise_tools_security_group"]
   management_security_group       = local.nonsensitive_common_config["management_security_group"]
@@ -43,10 +52,10 @@ locals {
   ssh_key_pair                    = local.nonsensitive_common_config["key_pair"]
   vpc_name                        = local.nonsensitive_common_config["vpc_name"]
 
-  lb_is_public    = local.nonsensitive_service_config["lb_is_public"]
-  lb_ingress_port = local.nonsensitive_service_config["lb_ingress_port"]
-  lb_egress_port  = local.nonsensitive_service_config["lb_egress_port"]
-  lb_vpc_peerings = jsondecode(local.nonsensitive_service_config["lb_vpc_peerings_json"])
+  lb_is_public          = tobool(local.nonsensitive_service_config["lb_is_public"])
+  lb_blue_ingress_port  = local.nonsensitive_service_config["lb_blue_ingress_port"]
+  lb_green_ingress_port = local.nonsensitive_service_config["lb_green_ingress_port"]
+  lb_vpc_peerings       = jsondecode(local.nonsensitive_service_config["lb_vpc_peerings_json"])
 
   asg_min_instance_count      = local.nonsensitive_service_config["asg_min_instance_count"]
   asg_max_instance_count      = local.nonsensitive_service_config["asg_max_instance_count"]
@@ -60,6 +69,8 @@ locals {
   launch_template_volume_throughput = local.nonsensitive_service_config["launch_template_volume_throughput"]
   launch_template_volume_type       = local.nonsensitive_service_config["launch_template_volume_type"]
 
+  service_port = local.sensitive_service_config["service_port"]
+
   env_config = {
     default_tags = local.default_tags,
     vpc_id       = data.aws_vpc.main.id,
@@ -92,40 +103,49 @@ module "fhir_iam" {
 
 ## NLB for the FHIR server (SSL terminated by the FHIR server)
 #
+# TODO: Remove bfd_server_lb module in BFD-3878
+# TODO: Remove below code in BFD-3878
 module "fhir_lb" {
+  count  = !local.is_ephemeral_env ? 1 : 0
   source = "./modules/bfd_server_lb"
 
   env_config = local.env_config
   role       = local.legacy_service
   layer      = "dmz"
-  log_bucket = data.aws_s3_bucket.logs.id
   is_public  = local.lb_is_public
 
   ingress = local.lb_is_public ? {
     description     = "Public Internet access"
-    port            = local.lb_ingress_port
+    port            = local.lb_blue_ingress_port
     cidr_blocks     = ["0.0.0.0/0"]
     prefix_list_ids = []
     } : {
     description     = "From VPN, VPC peerings, the MGMT VPC, and self"
-    port            = local.lb_ingress_port
+    port            = local.lb_blue_ingress_port
     cidr_blocks     = concat(data.aws_vpc_peering_connection.peers[*].peer_cidr_block, [data.aws_vpc.mgmt.cidr_block, data.aws_vpc.main.cidr_block])
     prefix_list_ids = [data.aws_ec2_managed_prefix_list.vpn.id, data.aws_ec2_managed_prefix_list.jenkins.id]
   }
 
   egress = {
     description = "To VPC instances"
-    port        = local.lb_egress_port
+    port        = local.service_port
     cidr_blocks = [data.aws_vpc.main.cidr_block]
   }
 }
 
+moved {
+  from = module.fhir_lb
+  to   = module.fhir_lb[0]
+}
+# TODO: Remove above code in BFD-3878
+
+# TODO: Update this module with new NLB metrics in BFD-3885
 module "lb_alarms" {
   count = local.create_server_lb_alarms ? 1 : 0
 
   source = "./modules/bfd_server_lb_alarms"
 
-  load_balancer_name = module.fhir_lb.name
+  load_balancer_name = one(module.fhir_lb[*].legacy_clb_name)
   app                = "bfd"
 
   # NLBs only have this metric to alarm on
@@ -136,7 +156,6 @@ module "lb_alarms" {
   }
 }
 
-
 ## Autoscale group for the FHIR server
 #
 module "fhir_asg" {
@@ -146,9 +165,13 @@ module "fhir_asg" {
   env_config    = local.env_config
   role          = local.legacy_service
   layer         = "app"
-  lb_config     = module.fhir_lb.lb_config
   seed_env      = local.seed_env
 
+  # TODO: Remove below code in BFD-3878
+  legacy_clb_name = one(module.fhir_lb[*].legacy_clb_name)
+  legacy_sg_id    = one(module.fhir_lb[*].legacy_sg_id)
+  # TODO: Remove above code in BFD-3878
+
   # Initial size is one server per AZ
   asg_config = {
     min             = local.asg_min_instance_count
@@ -186,6 +209,21 @@ module "fhir_asg" {
     remote_sg = data.aws_security_group.remote.id
     ci_cidrs  = [data.aws_vpc.mgmt.cidr_block]
   }
+
+  lb_config = {
+    is_public                  = local.lb_is_public
+    enable_deletion_protection = !local.is_ephemeral_env
+    ingress = {
+      blue_port       = local.lb_blue_ingress_port
+      green_port      = local.lb_green_ingress_port
+      cidr_blocks     = !local.lb_is_public ? concat(data.aws_vpc_peering_connection.peers[*].peer_cidr_block, [data.aws_vpc.mgmt.cidr_block, data.aws_vpc.main.cidr_block]) : ["0.0.0.0/0"]
+      prefix_list_ids = !local.lb_is_public ? [data.aws_ec2_managed_prefix_list.vpn.id, data.aws_ec2_managed_prefix_list.jenkins.id] : []
+    }
+    egress = {
+      cidr_blocks = [data.aws_vpc.main.cidr_block]
+    }
+    server_listen_port = local.service_port
+  }
 }
 
 ## FHIR server logs
diff --git a/ops/terraform/services/server/modules/bfd_server_asg/main.tf b/ops/terraform/services/server/modules/bfd_server_asg/main.tf
index 0845c9afcd..fdbec9faee 100644
--- a/ops/terraform/services/server/modules/bfd_server_asg/main.tf
+++ b/ops/terraform/services/server/modules/bfd_server_asg/main.tf
@@ -1,18 +1,34 @@
 locals {
+  green_state = "green"
+  blue_state  = "blue"
   asgs = {
     odd = {
-      name             = "${aws_launch_template.main.name}-odd"
-      desired_capacity = local.odd_needs_scale_out ? max(local.even_remote_desired_capacity, var.asg_config.desired) : (local.odd_maintains_state ? local.odd_remote_desired_capacity : 0)
-      max_size         = var.asg_config.max
-      min_size         = local.odd_needs_scale_out ? max(local.even_remote_desired_capacity, var.asg_config.desired) : (local.odd_maintains_state ? local.odd_remote_desired_capacity : 0)
-      warmpool_size    = local.odd_needs_scale_out ? max(local.even_remote_warmpool_min_size, var.asg_config.min) : (local.odd_maintains_state ? local.odd_remote_warmpool_min_size : 0)
+      name              = "${aws_launch_template.main.name}-odd"
+      lt_version        = local.odd_needs_scale_out ? local.latest_ltv : coalesce(local.odd_remote_lt_version, max(local.latest_ltv - 1, 1))
+      desired_capacity  = local.odd_needs_scale_out ? max(local.even_remote_desired_capacity, var.asg_config.desired) : (local.odd_maintains_state ? local.odd_remote_desired_capacity : 0)
+      max_size          = var.asg_config.max
+      min_size          = local.odd_needs_scale_out ? max(local.even_remote_desired_capacity, var.asg_config.desired) : (local.odd_maintains_state ? local.odd_remote_desired_capacity : 0)
+      warmpool_size     = local.odd_needs_scale_out ? max(local.even_remote_warmpool_min_size, var.asg_config.min) : (local.odd_maintains_state ? local.odd_remote_warmpool_min_size : 0)
+      deployment_status = local.odd_needs_scale_out ? local.green_state : (local.odd_maintains_state && local.odd_remote_desired_capacity > 0 ? local.blue_state : local.green_state)
     }
     even = {
-      name             = "${aws_launch_template.main.name}-even"
-      desired_capacity = local.even_needs_scale_out ? max(local.odd_remote_desired_capacity, var.asg_config.desired) : (local.even_maintains_state ? local.even_remote_desired_capacity : 0)
-      max_size         = var.asg_config.max
-      min_size         = local.even_needs_scale_out ? max(local.odd_remote_desired_capacity, var.asg_config.desired) : (local.even_maintains_state ? local.even_remote_desired_capacity : 0)
-      warmpool_size    = local.even_needs_scale_out ? max(local.odd_remote_warmpool_min_size, var.asg_config.min) : (local.even_maintains_state ? local.even_remote_warmpool_min_size : 0)
+      name              = "${aws_launch_template.main.name}-even"
+      lt_version        = local.even_needs_scale_out ? local.latest_ltv : coalesce(local.even_remote_lt_version, max(local.latest_ltv - 1, 1))
+      desired_capacity  = local.even_needs_scale_out ? max(local.odd_remote_desired_capacity, var.asg_config.desired) : (local.even_maintains_state ? local.even_remote_desired_capacity : 0)
+      max_size          = var.asg_config.max
+      min_size          = local.even_needs_scale_out ? max(local.odd_remote_desired_capacity, var.asg_config.desired) : (local.even_maintains_state ? local.even_remote_desired_capacity : 0)
+      warmpool_size     = local.even_needs_scale_out ? max(local.odd_remote_warmpool_min_size, var.asg_config.min) : (local.even_maintains_state ? local.even_remote_warmpool_min_size : 0)
+      deployment_status = local.even_needs_scale_out ? local.green_state : (local.even_maintains_state && local.even_remote_desired_capacity > 0 ? local.blue_state : local.green_state)
+    }
+  }
+
+  lb_name = "bfd-${local.env}-${var.role}-nlb"
+  lb_targets = {
+    blue = {
+      ingress_port = var.lb_config.ingress.blue_port
+    }
+    green = {
+      ingress_port = var.lb_config.ingress.green_port
     }
   }
 
@@ -26,6 +42,9 @@ locals {
   is_latest_launch_template_odd  = local.latest_ltv % 2 == 1
   is_latest_launch_template_even = local.latest_ltv % 2 == 0
 
+  odd_remote_lt_version  = try(tonumber(data.external.current_asg.result["odd_launch_template_version"]), null)
+  even_remote_lt_version = try(tonumber(data.external.current_asg.result["even_launch_template_version"]), null)
+
   odd_remote_desired_capacity  = tonumber(data.external.current_asg.result["odd_desired_capacity"])
   even_remote_desired_capacity = tonumber(data.external.current_asg.result["even_desired_capacity"])
 
@@ -146,31 +165,37 @@ resource "aws_security_group" "base" {
 
 # app server
 resource "aws_security_group" "app" {
-  count       = var.lb_config == null ? 0 : 1
+  lifecycle {
+    create_before_destroy = true
+  }
+
   name        = "bfd-${local.env}-${var.role}-app"
   description = "Allow access to app servers"
   vpc_id      = var.env_config.vpc_id
   tags        = merge({ Name = "bfd-${local.env}-${var.role}-app" }, local.additional_tags)
 
   ingress {
-    from_port       = var.lb_config.port
-    to_port         = var.lb_config.port
-    protocol        = "tcp"
-    security_groups = [var.lb_config.sg]
+    from_port       = var.lb_config.server_listen_port
+    to_port         = var.lb_config.server_listen_port
+    protocol        = "TCP"
+    security_groups = concat([aws_security_group.lb.id], var.legacy_sg_id != null ? [var.legacy_sg_id] : [])
+    # TODO: Replace above "security_groups" definition with below commented code in BFD-3878
+    # security_groups = [aws_security_group.lb.id]server_listen_port
+    # TODO: Replace above "security_groups" definition with above commented code in BFD-3878
   }
 }
 
 # database
 resource "aws_security_group_rule" "allow_db_access" {
-  for_each    = var.db_config != null ? toset(var.db_config.db_sg) : []
+  for_each    = toset(var.db_config.db_sg)
   type        = "ingress"
   from_port   = 5432
   to_port     = 5432
   protocol    = "tcp"
   description = "Allows access to the ${var.db_config.role} db"
 
-  security_group_id        = each.value                   # The SG associated with each replica
-  source_security_group_id = aws_security_group.app[0].id # Every instance in the ASG
+  security_group_id        = each.value                # The SG associated with each replica
+  source_security_group_id = aws_security_group.app.id # Every instance in the ASG
 }
 
 ## Launch Template
@@ -218,7 +243,6 @@ resource "aws_launch_template" "main" {
   user_data = base64encode(templatefile("${path.module}/templates/${var.launch_config.user_data_tpl}", {
     env                   = local.env
     seed_env              = local.seed_env
-    port                  = var.lb_config.port
     accountId             = var.launch_config.account_id
     reader_endpoint       = "jdbc:postgresql://${local.rds_reader_endpoint}:5432/fhirdb${local.full_jdbc_suffix}"
     launch_lifecycle_hook = local.on_launch_lifecycle_hook_name
@@ -235,8 +259,14 @@ resource "aws_launch_template" "main" {
   }
 }
 
+# These AutoScaling Groups require 2 external "null_resourece" resources to manage their Target
+# Group ARNs and their Warm Pool due to defective behavior in the AWS provider. Specifically,
+# attempting to modify Target Group ARNs dynamically (to do blue/green) results in an error during
+# apply with a message indicating a bug in the provider. Additionally, attempting to manage the Warm
+# Pool via Terraform results in an erreneous 3 minute delay upon destruction of the Warm Pool, even
+# with "force_delete_warm_pool" enabled, which is unnaceptable
 resource "aws_autoscaling_group" "main" {
-  # Deployments of this ASG require two executions of `terraform apply`
+  # Deployments of this ASG require two executions of `terraform apply`.
   for_each = local.asgs
 
   lifecycle {
@@ -248,22 +278,27 @@ situation typically indicates that green, the incoming ASG, failed automated che
 corresponding Runbook for instructions on how to remediate this situation.
 EOF
     }
-  }
 
+    # For "target_group_arns" look at "null_resource.set_target_groups" as Terraform's AWS Provider
+    # has a bug in it when changing target group ARNs in the terraform. For "warm_pool" look at
+    # "null_resource.manage_warm_pool" as Terraform's AWS Provider does not respect
+    # "force_delete_warm_pool" which would result in non-zero downtime deployments as scaling-in the
+    # previous "blue" blocks incoming "blue" from being attached to the "blue" Target Group
+    ignore_changes = [target_group_arns, warm_pool]
+  }
 
-  name             = each.value.name
-  desired_capacity = each.value.desired_capacity
-  max_size         = each.value.max_size
-  min_size         = each.value.min_size
+  # TODO: Remove below code in BFD-3878
+  load_balancers = var.legacy_clb_name != null ? [var.legacy_clb_name] : null
+  # TODO: Remove above code in BFD-3878
 
-  # If an lb is defined, wait for the ELB
-  min_elb_capacity          = each.value.desired_capacity
+  name                      = each.value.name
+  desired_capacity          = each.value.desired_capacity
+  max_size                  = each.value.max_size
+  min_size                  = each.value.min_size
   wait_for_capacity_timeout = var.lb_config == null ? null : "20m"
-
   health_check_grace_period = 600                                   # Temporary, will be lowered when/if lifecycle hooks are implemented
   health_check_type         = var.lb_config == null ? "EC2" : "ELB" # Failures of ELB healthchecks are asg failures
   vpc_zone_identifier       = data.aws_subnet.app_subnets[*].id
-  load_balancers            = var.lb_config == null ? [] : [var.lb_config.name]
   termination_policies      = ["OldestLaunchTemplate"]
 
   # With Lifecycle Hooks, BFD Server instances will not reach the InService state until the BFD
@@ -273,7 +308,7 @@ EOF
 
   launch_template {
     name    = aws_launch_template.main.name
-    version = aws_launch_template.main.latest_version
+    version = each.value.lt_version
   }
 
   initial_lifecycle_hook {
@@ -283,8 +318,6 @@ EOF
     lifecycle_transition = "autoscaling:EC2_INSTANCE_LAUNCHING"
   }
 
-
-
   enabled_metrics = [
     "GroupMinSize",
     "GroupMaxSize",
@@ -296,24 +329,6 @@ EOF
     "GroupTotalInstances",
   ]
 
-  # NOTE: AWS Provider for Terraform does not fully respect the warm pool blocks
-  # - it reports that the warm pool will be destroyed when it is not called for
-  # - it reports that the warm pool will be destroyed when we want to destroy it
-  # - in either case, terraform 1.5.0 with provider AWS v5.53.0 does not destroy the warm pool
-  # See null resource provider below for deletion logic
-  force_delete_warm_pool = true
-  dynamic "warm_pool" {
-    for_each = each.value.warmpool_size == 0 ? toset([]) : toset([each.value.warmpool_size])
-    content {
-      pool_state                  = "Stopped"
-      min_size                    = warm_pool.value
-      max_group_prepared_capacity = warm_pool.value
-      instance_reuse_policy {
-        reuse_on_scale_in = false
-      }
-    }
-  }
-
   dynamic "tag" {
     for_each = merge(local.additional_tags, var.env_config.default_tags)
     content {
@@ -477,27 +492,161 @@ resource "aws_autoscaling_policy" "avg_cpu_high" {
   }
 }
 
-# NOTE: Required to *actually* delete a warm pool as of terraform 1.5.0 and AWS Provider v5.53.0
-resource "null_resource" "warm_pool_size" {
+resource "null_resource" "set_target_groups" {
   for_each = local.asgs
 
   triggers = {
-    should_delete_warmpool = each.value.warmpool_size == 0
+    target_group_name = each.value.deployment_status
   }
 
   provisioner "local-exec" {
     environment = {
-      will_delete = self.triggers.should_delete_warmpool
-      asg_name    = each.value.name
+      asg_name          = aws_autoscaling_group.main[each.key].name
+      target_group_arn  = aws_lb_target_group.main[self.triggers.target_group_name].arn
+      target_group_name = self.triggers.target_group_name
     }
 
     command = <<-EOF
-if [[ $will_delete == "true" ]]; then
+attached_other_tgs="$(
+  aws autoscaling describe-auto-scaling-groups --auto-scaling-group-names "$asg_name" |
+    jq -r --arg target_group_arn "$target_group_arn" \
+      '.AutoScalingGroups[0].TargetGroupARNs | map(select(. != $target_group_arn)) | join(",")'
+)"
+if [[ -n "$attached_other_tgs" ]]; then
+  aws autoscaling detach-load-balancer-target-groups \
+    --auto-scaling-group-name "$asg_name" \
+    --target-group-arns "$attached_other_tgs"
+  echo "Detached $asg_name from all non-$target_group_name Target Groups"
+fi
+aws autoscaling attach-load-balancer-target-groups \
+  --auto-scaling-group-name "$asg_name" \
+  --target-group-arns "$target_group_arn" &&
+  echo "Attached $asg_name to $target_group_name Target Group"
+EOF
+  }
+}
+
+# NOTE: Required to avoid erroneous 3 minute delay when scaling-in an ASG's Warm Pool due to defects
+# in the Terraform AWS Provider as of Terraform 1.5.0 and version 5.53.0 of the AWS Provider
+resource "null_resource" "manage_warm_pool" {
+  for_each = local.asgs
+
+  triggers = {
+    warmpool_size = each.value.warmpool_size
+  }
+
+  provisioner "local-exec" {
+    environment = {
+      warmpool_size = self.triggers.warmpool_size
+      asg_name      = aws_autoscaling_group.main[each.key].name
+    }
+
+    command = <<-EOF
+if ((warmpool_size == 0)); then
   aws autoscaling delete-warm-pool --auto-scaling-group-name "$asg_name" --force-delete
-  echo "Deleting "$asg_name" warm_pool. 'will_delete' is "$will_delete""
+  echo "Deleting "$asg_name" warm_pool. 'warmpool_size' is 0"
 else
-  echo "No change to "$asg_name" warm_pool. 'will_delete' is "$will_delete""
+  aws autoscaling put-warm-pool --auto-scaling-group-name "$asg_name" \
+    --max-group-prepared-capacity "$warmpool_size" \
+    --min-size "$warmpool_size" \
+    --pool-state "Stopped" \
+    --instance-reuse-policy "ReuseOnScaleIn=false"
+  echo "Creating Warm Pool for "$asg_name" with size of $warmpool_size"
 fi
 EOF
   }
 }
+
+### Load Balancer Components ###
+resource "aws_lb" "main" {
+  name                             = local.lb_name
+  internal                         = !var.lb_config.is_public
+  load_balancer_type               = "network"
+  security_groups                  = [aws_security_group.lb.id]
+  subnets                          = data.aws_subnet.app_subnets[*].id # Gives AZs and VPC association
+  enable_deletion_protection       = var.lb_config.enable_deletion_protection
+  idle_timeout                     = 60
+  ip_address_type                  = "ipv4"
+  enable_http2                     = false
+  desync_mitigation_mode           = "strictest"
+  enable_cross_zone_load_balancing = true
+
+  tags = local.additional_tags
+}
+
+resource "aws_lb_listener" "main" {
+  for_each = local.lb_targets
+
+  load_balancer_arn = aws_lb.main.arn
+  port              = each.value.ingress_port
+  protocol          = "TCP"
+
+  default_action {
+    type             = "forward"
+    target_group_arn = aws_lb_target_group.main[each.key].arn
+  }
+}
+
+# security group
+resource "aws_security_group" "lb" {
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  name        = "${local.lb_name}-sg"
+  description = "Allow access to the ${var.role} load-balancer"
+  vpc_id      = var.env_config.vpc_id
+  tags        = merge({ Name = "${local.lb_name}-sg" }, local.additional_tags)
+
+  # Dynamic, per-listener CIDR Block ingress rules
+  dynamic "ingress" {
+    for_each = local.lb_targets
+    content {
+      from_port   = ingress.value.ingress_port
+      to_port     = ingress.value.ingress_port
+      protocol    = "TCP"
+      cidr_blocks = var.lb_config.ingress.cidr_blocks
+    }
+  }
+
+  # Dynamic, per-listener prefix list ingress rules if prefix list IDs are specified
+  dynamic "ingress" {
+    for_each = length(var.lb_config.ingress.prefix_list_ids) > 0 ? local.lb_targets : {}
+    content {
+      from_port       = ingress.value.ingress_port
+      to_port         = ingress.value.ingress_port
+      protocol        = "TCP"
+      prefix_list_ids = var.lb_config.ingress.prefix_list_ids
+    }
+  }
+
+  egress {
+    from_port   = var.lb_config.server_listen_port
+    to_port     = var.lb_config.server_listen_port
+    protocol    = "TCP"
+    cidr_blocks = var.lb_config.egress.cidr_blocks
+  }
+}
+
+resource "aws_lb_target_group" "main" {
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  for_each = local.lb_targets
+
+  name                   = "${aws_lb.main.name}-tg-${each.key}"
+  port                   = var.lb_config.server_listen_port
+  protocol               = "TCP"
+  vpc_id                 = var.env_config.vpc_id
+  deregistration_delay   = 60
+  connection_termination = true
+  health_check {
+    healthy_threshold   = 3
+    interval            = 10
+    timeout             = 8
+    unhealthy_threshold = 2
+    port                = var.lb_config.server_listen_port
+    protocol            = "TCP"
+  }
+}
diff --git a/ops/terraform/services/server/modules/bfd_server_asg/scripts/asg-data.sh b/ops/terraform/services/server/modules/bfd_server_asg/scripts/asg-data.sh
index 37c58967f3..eb2657585d 100755
--- a/ops/terraform/services/server/modules/bfd_server_asg/scripts/asg-data.sh
+++ b/ops/terraform/services/server/modules/bfd_server_asg/scripts/asg-data.sh
@@ -1,9 +1,9 @@
 #!/usr/bin/env sh
 #######################################
-# Fetch the even/odd autoscaling group instance and warm_pool counts.
+# Fetch the even/odd autoscaling group launch template versions, instance and warm_pool counts.
 # Returned json object includes...
-# "odd_desired_capacity", "odd_warmpool_min_size", "even_desired_capacity",
-# and "even_warmpool_min_size" as strings.
+# "odd_launch_template_version", "odd_desired_capacity", "odd_warmpool_min_size",
+# "even_launch_template_version", "even_desired_capacity", and "even_warmpool_min_size" as strings.
 # This is intended for use in terraform as an external data resource.
 # Requires yq and awscli
 #
@@ -11,8 +11,10 @@
 # `./asg-data.sh 2558-test` might yield the following for an existing ASG:
 #
 #  {
+#    "odd_launch_template_version": "9",
 #    "odd_desired_capacity": "3",
 #    "odd_warmpool_min_size": "3",
+#    "even_launch_template_version": "10",
 #    "even_desired_capacity": "0",
 #    "even_warmpool_min_size": "0"
 #  }
@@ -20,8 +22,10 @@
 # `./asg-data.sh foo` yields the following for a non-existent ASG:
 #
 #  {
+# .  "odd_launch_template_version": "null",
 #    "odd_desired_capacity": "0",
 #    "odd_warmpool_min_size": "0",
+# .  "even_launch_template_version": "null",
 #    "even_desired_capacity": "0",
 #    "even_warmpool_min_size": "0"
 #  }
@@ -43,8 +47,10 @@ export even="$(aws autoscaling describe-auto-scaling-groups \
     --output json --query 'AutoScalingGroups[0]')"
 
 yq  --output-format=json --null-input '{
+  "odd_launch_template_version": env(odd) | .LaunchTemplate.Version | tostring,
   "odd_desired_capacity": env(odd) | .DesiredCapacity // 0 | tostring,
   "odd_warmpool_min_size": env(odd) | .WarmPoolConfiguration.MinSize // 0 | tostring,
+  "even_launch_template_version": env(even) | .LaunchTemplate.Version | tostring,
   "even_desired_capacity": env(even) | .DesiredCapacity // 0 | tostring,
   "even_warmpool_min_size": env(even) | .WarmPoolConfiguration.MinSize // 0 | tostring
 }'
diff --git a/ops/terraform/services/server/modules/bfd_server_asg/variables.tf b/ops/terraform/services/server/modules/bfd_server_asg/variables.tf
index 88dc05dbb3..12005f6ff5 100644
--- a/ops/terraform/services/server/modules/bfd_server_asg/variables.tf
+++ b/ops/terraform/services/server/modules/bfd_server_asg/variables.tf
@@ -35,8 +35,21 @@ variable "db_config" {
 
 variable "lb_config" {
   description = "Load balancer information"
-  type        = object({ name = string, port = number, sg = string })
-  default     = null
+  type = object({
+    is_public                  = bool
+    enable_deletion_protection = bool
+    ingress = object({
+      green_port      = number
+      blue_port       = number
+      cidr_blocks     = list(string)
+      prefix_list_ids = list(string)
+    })
+    egress = object({
+      cidr_blocks = list(string)
+    })
+    server_listen_port = string
+  })
+  default = null
 }
 
 variable "mgmt_config" {
@@ -63,3 +76,17 @@ variable "jdbc_suffix" {
   description = "boolean controlling logging of detail SQL values if a BatchUpdateException occurs; false disables detail logging"
   type        = string
 }
+
+# TODO: Remove below code in BFD-3878
+variable "legacy_clb_name" {
+  default     = null
+  type        = string
+  description = "Name of the legacy CLB to associate ASGs to; only necessary for established environments"
+}
+
+variable "legacy_sg_id" {
+  default     = null
+  type        = string
+  description = "Name of the legacy Security Group to allow ingress from in the app SG"
+}
+# TODO: Remove above code in BFD-3878
diff --git a/ops/terraform/services/server/modules/bfd_server_lb/data-sources.tf b/ops/terraform/services/server/modules/bfd_server_lb/data-sources.tf
index fc8bbb14fd..30298affa7 100644
--- a/ops/terraform/services/server/modules/bfd_server_lb/data-sources.tf
+++ b/ops/terraform/services/server/modules/bfd_server_lb/data-sources.tf
@@ -13,8 +13,3 @@ data "aws_subnet" "app_subnets" {
     values = [var.layer]
   }
 }
-
-# S3 bucket for logs
-data "aws_s3_bucket" "logs" {
-  bucket = var.log_bucket
-}
diff --git a/ops/terraform/services/server/modules/bfd_server_lb/main.tf b/ops/terraform/services/server/modules/bfd_server_lb/main.tf
index 75cebdf7c8..987ea958a4 100644
--- a/ops/terraform/services/server/modules/bfd_server_lb/main.tf
+++ b/ops/terraform/services/server/modules/bfd_server_lb/main.tf
@@ -1,16 +1,15 @@
-# Create an internal application LB with TCP listeners. 
+# Create an internal application LB with TCP listeners.
 #
 
 locals {
   env             = terraform.workspace
   additional_tags = { Layer = var.layer, role = var.role }
-  log_prefix      = "${var.role}_elb_access_logs"
 }
 
 ## RESOURCES
 #
 
-# classic ELB 
+# classic ELB
 resource "aws_elb" "main" {
   name = "bfd-${local.env}-${var.role}"
   tags = local.additional_tags
@@ -32,23 +31,20 @@ resource "aws_elb" "main" {
   }
 
   health_check {
-    healthy_threshold   = 3 
+    healthy_threshold   = 3
     unhealthy_threshold = 5 # Server, on avg, inits within 40 seconds; this gives enough time for it to do so
     target              = "TCP:${var.egress.port}"
     interval            = 10 # (seconds) Match HealthApt
     timeout             = 5  # (seconds) Match HealthApt
   }
-
-  access_logs {
-    enabled       = false
-    bucket        = var.log_bucket
-    bucket_prefix = local.log_prefix
-    interval      = 5 # (minutes) Match HealthApt      
-  }
 }
 
 # security group
 resource "aws_security_group" "lb" {
+  lifecycle {
+    create_before_destroy = true
+  }
+
   name        = "bfd-${local.env}-${var.role}-lb"
   description = "Allow access to the ${var.role} load-balancer"
   vpc_id      = var.env_config.vpc_id
@@ -82,40 +78,3 @@ resource "aws_security_group" "lb" {
     description = var.egress.description
   }
 }
-
-# policy for S3 log access
-resource "aws_s3_bucket_policy" "logs" {
-  bucket = data.aws_s3_bucket.logs.id
-
-  policy = <<POLICY
-{
-  "Version": "2012-10-17",
-  "Id": "LBAccessLogs",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Principal": {
-          "AWS": "${data.aws_elb_service_account.main.arn}"
-      },
-      "Action": "s3:PutObject",
-      "Resource": "arn:aws:s3:::${var.log_bucket}/*"
-    },
-    {
-      "Sid": "AllowSSLRequestsOnly",
-      "Effect": "Deny",
-      "Principal": "*",
-      "Action": "s3:*",
-      "Resource": [
-          "arn:aws:s3:::${var.log_bucket}",
-          "arn:aws:s3:::${var.log_bucket}/*"
-      ],
-      "Condition": {
-          "Bool": {
-              "aws:SecureTransport": "false"
-          }
-      }
-    }
-  ]
-}
-POLICY
-}
diff --git a/ops/terraform/services/server/modules/bfd_server_lb/outputs.tf b/ops/terraform/services/server/modules/bfd_server_lb/outputs.tf
index c9bf66d142..936352bf0a 100644
--- a/ops/terraform/services/server/modules/bfd_server_lb/outputs.tf
+++ b/ops/terraform/services/server/modules/bfd_server_lb/outputs.tf
@@ -1,7 +1,7 @@
-output "name" {
+output "legacy_clb_name" {
   value = aws_elb.main.name
 }
 
-output "lb_config" {
-  value = { name = aws_elb.main.name, port = var.egress.port, sg = aws_security_group.lb.id }
+output "legacy_sg_id" {
+  value = aws_security_group.lb.id
 }
diff --git a/ops/terraform/services/server/modules/bfd_server_lb/variables.tf b/ops/terraform/services/server/modules/bfd_server_lb/variables.tf
index 3a60868519..f9fc3ad76a 100644
--- a/ops/terraform/services/server/modules/bfd_server_lb/variables.tf
+++ b/ops/terraform/services/server/modules/bfd_server_lb/variables.tf
@@ -13,10 +13,6 @@ variable "layer" {
   type        = string
 }
 
-variable "log_bucket" {
-  type = string
-}
-
 variable "is_public" {
   description = "If true, the LB is created as a public LB"
   type        = bool