diff --git a/.github/workflows/actions/deploy_v2/action.yml b/.github/workflows/actions/deploy_v2/action.yml
index 587c7eaf1d..0d13469015 100644
--- a/.github/workflows/actions/deploy_v2/action.yml
+++ b/.github/workflows/actions/deploy_v2/action.yml
@@ -18,6 +18,8 @@ inputs:
 outputs:
   deploy-url:
     value: ${{ steps.set_env_var.outputs.deploy_url }}
+  dsi-hostname:
+    value: ${{ steps.dsi_hostname.outputs.dsi_hostname }}
 runs:
   using: composite
   steps:
@@ -42,6 +44,7 @@ runs:
       uses: hashicorp/setup-terraform@v2
       with:
         terraform_version: ${{ env.TERRAFORM_VERSION }}
+        terraform_wrapper: false
 
     - uses: DFE-Digital/github-actions/set-arm-environment-variables@master
       with:
@@ -52,13 +55,10 @@ runs:
       shell: bash
       run: echo "short=$(echo "${{ inputs.sha }}" | cut -c -7)" >> $GITHUB_OUTPUT
 
-    - name: Print Sha
-      id: print-sha-environment
+    - name: K8 setup
       shell: bash
       run: |
-        echo "${{ inputs.sha }}"
-        echo "the passed in environment is ${{ inputs.environment  }}"
-        echo terraform version
+        az aks get-credentials -g s189t01-tsc-ts-rg -n s189t01-tsc-test-aks
 
     - name: Terraform init, plan & apply
       shell: bash
@@ -68,3 +68,10 @@ runs:
         make ci ${envval} terraform-apply-aks PR_NUMBER=${{ inputs.pr }}
       env:
         IMAGE_TAG: ${{ steps.sha.outputs.short }}
+
+    - name: Retrieve DSI hostname
+      id: dsi_hostname
+      shell: bash
+      run: |
+        dsi_hostname=$(terraform -chdir=terraform/aks output -raw dsi_hostname)
+        echo "dsi_hostname=${dsi_hostname}" >> "$GITHUB_OUTPUT"
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index b36fb342ef..7aadb7c4e6 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -395,12 +395,6 @@ jobs:
         with:
             creds: ${{ secrets.AZURE_CREDENTIALS }}
 
-      - name: Get dsi_hostname AKS
-        if: matrix.environment == 'Review'
-        run: |
-              dsi_static_hostname=$( ${GITHUB_WORKSPACE}/script/get_next_mapping_aks.sh ${{github.event.number}} get-school-experience-review-pr-${{github.event.number}}.test.teacherservices.cloud )
-              echo "dsi_static_hostname=${dsi_static_hostname}" >> $GITHUB_ENV
-
       - name: Trigger Deployment to ${{matrix.environment}}
         id: deploy-aks
         uses: ./.github/workflows/actions/deploy_v2
@@ -416,8 +410,8 @@ jobs:
         uses: haya14busa/action-cond@v1
         id: dsiMessage
         with:
-          cond: ${{ env.dsi_static_hostname != '' }}
-          if_true: ':white_check_mark: DfE AKS sign in route obtained: https://${{ env.dsi_static_hostname }}'
+          cond: ${{ steps.deploy-aks.outputs.dsi-hostname != '' }}
+          if_true: ':white_check_mark: DfE AKS sign in route obtained: https://${{ steps.deploy-aks.outputs.dsi-hostname }}'
           if_false: ':warning: **DfE AKS sign in route pool for AKS exhausted (close some open PRs!)**'
 
       - name: Post sticky pull request comment
@@ -427,8 +421,9 @@ jobs:
           recreate: true
           header: AKS
           message: |
-                   Review app deployed  to https://${{env.AKS_REVIEW_APPLICATION}}-${{github.event.number}}.${{env.REVIEW_AKS_DOMAIN}}
-                   ${{ steps.dsiMessage.outputs.value }}
+            Review app deployed to https://${{env.AKS_REVIEW_APPLICATION}}-${{github.event.number}}.${{env.REVIEW_AKS_DOMAIN}}
+            ${{ steps.dsiMessage.outputs.value }}
+
       - name: Add Review Label
         if: matrix.environment == 'Review' && contains(github.event.pull_request.user.login, 'dependabot') == false
         uses: actions-ecosystem/action-add-labels@v1
@@ -465,7 +460,7 @@ jobs:
         uses: rtCamp/action-slack-notify@master
         env:
           SLACK_COLOR: ${{env.SLACK_SUCCESS}}
-          SLACK_MESSAGE:  ${{ fromJson( steps.tag_id.outputs.release_body) }}
+          SLACK_MESSAGE:  ${{ fromJson(steps.tag_id.outputs.release_body) }}
           SLACK_TITLE: "Release Published: ${{steps.tag_id.outputs.release_name}}"
           SLACK_WEBHOOK: "${{steps.fetch-slack-secret.outputs.SLACK-WEBHOOK}}"
           MSG_MINIMAL: true
diff --git a/Makefile b/Makefile
index cc53304509..f5c4d363b6 100644
--- a/Makefile
+++ b/Makefile
@@ -67,6 +67,7 @@ review_aks:
 	$(if $(PR_NUMBER), , $(error Missing environment variable "PR_NUMBER"))
 	$(eval export PR_NAME=get-school-experience-review-pr-${PR_NUMBER}.test.teacherservices.cloud)
 	$(eval export TF_VAR_paas_application_name=${PR_NAME})
+
 	$(eval export TF_VAR_dsi_hostname=$(shell script/get_next_mapping_aks.sh ${PR_NUMBER}  ${PR_NAME}))
 	$(eval export TF_VAR_environment=review-pr-$(PR_NUMBER))
 
@@ -93,6 +94,7 @@ production_aks:
 .PHONY: ci
 ci:
 	$(eval AUTO_APPROVE=-auto-approve)
+	$(eval SKIP_AZURE_LOGIN=true)
 
 clean:
 	[ ! -f fetch_config.rb ]  \
diff --git a/script/get_next_mapping_aks.sh b/script/get_next_mapping_aks.sh
index 79825767c7..2ed372fd10 100755
--- a/script/get_next_mapping_aks.sh
+++ b/script/get_next_mapping_aks.sh
@@ -1,11 +1,15 @@
+#!/usr/bin/env bash
+
+set -eu
+set -o pipefail
+
 pr_number=${1}
-pr_name=${2}
+non_dsi_hostname=${2}
 maximun_ing_num=20
 
 get_all_relevant_ingresses() {
   # Find if it is already in the list of ingresses
-  ings=($(kubectl get ing -n git-development -o json | \
-    jq -r '.items[] | select(.metadata.name | startswith("get-school-experience-review-pr")) | .metadata.name'))
+  ings=$(kubectl get ing -n git-development -o json | jq -r '.items[] | select(.metadata.name | startswith("get-school-experience-review-pr")) | .metadata.name')
 
   echo "${ings[@]}"
 }
@@ -13,23 +17,24 @@ get_all_relevant_ingresses() {
 check_existing_dsi_ingress() {
   # Find if it is already in the list of existing linked DSI  ingresses
   servicename="get-school-experience-review-pr-${pr_number}"
-  ings=($(kubectl get ing -o=custom-columns='NAME:.metadata.name,SVCs:..service.name'  -n git-development | grep  "${servicename}" | grep  -v "${pr_name}"))
-  echo "${ings}"
+  ings=$(kubectl get ing -o=custom-columns='NAME:.metadata.name,SVCs:..service.name'  -n git-development | grep  "\b${servicename}\b" | grep  -v "${non_dsi_hostname}")
+
+  echo "${ings}" | awk '{print $1}'
 }
 
 extract_numbers_from_list() {
   local all_existing_ings=$1
   local pattern="get-school-experience-review-pr-([0-9]+)\.test\.teacherservices\.cloud"
-  local all_existing_review_ings=()
+  local all_existing_review_ings=""
   for input_string in ${all_existing_ings}; do
     if [[ "$input_string" =~ $pattern ]]; then
       itemval="${BASH_REMATCH[1]}"
-      if ((1 <= itemval && itemval <= maximun_ing_num)); then
-        all_existing_review_ings+=("${BASH_REMATCH[1]}")
+      if [ 1 -le $itemval ] && [ $itemval -le $maximun_ing_num ]; then
+        all_existing_review_ings+=" ${BASH_REMATCH[1]}"
       fi
     fi
   done
-  echo "${all_existing_review_ings[@]}"
+  echo "${all_existing_review_ings}"
 }
 
 is_number_in_list() {
diff --git a/terraform/aks/application.tf b/terraform/aks/application.tf
index 3708f85c03..93896e44f5 100644
--- a/terraform/aks/application.tf
+++ b/terraform/aks/application.tf
@@ -11,8 +11,9 @@ module "application_configuration" {
   is_rails_application = true
 
   config_variables = {
-    ENVIRONMENT_NAME = var.environment
-    PGSSLMODE        = local.postgres_ssl_mode
+    ENVIRONMENT_NAME    = var.environment
+    PGSSLMODE           = local.postgres_ssl_mode
+    DFE_SIGNIN_BASE_URL = "https://${var.dsi_hostname}"
   }
   secret_variables = {
     DB_HOST     = var.deploy_postgres ? module.postgres[0].host : "${data.azurerm_key_vault_secret.db_host[0].value}"
@@ -28,18 +29,18 @@ module "web_application" {
 
   is_web = true
 
-  namespace    = var.namespace
-  environment  = var.environment
-  service_name = var.service_name
-  replicas  = var.app_replicas
+  namespace                  = var.namespace
+  environment                = var.environment
+  service_name               = var.service_name
+  replicas                   = var.app_replicas
   cluster_configuration_map  = module.cluster_data.configuration_map
   kubernetes_config_map_name = module.application_configuration.kubernetes_config_map_name
   kubernetes_secret_name     = module.application_configuration.kubernetes_secret_name
 
-  docker_image = var.docker_image
-  command      = ["/app/docker-entrypoint.sh", "-m", "-f"]
-  probe_path   = null
-  web_external_hostnames = local.web_external_hostnames
+  docker_image           = var.docker_image
+  command                = ["/app/docker-entrypoint.sh", "-m", "-f"]
+  probe_path             = null
+  web_external_hostnames = var.create_dsi_ingress ? [var.dsi_hostname] : []
 }
 
 module "worker_application" {
diff --git a/terraform/aks/config/development.tfvars.json b/terraform/aks/config/development.tfvars.json
index 36dcf7006a..ac2b55e43d 100644
--- a/terraform/aks/config/development.tfvars.json
+++ b/terraform/aks/config/development.tfvars.json
@@ -8,6 +8,6 @@
     "azure_enable_backup_storage": false,
     "enable_monitoring": false,
     "sidekiq_replicas" : 1,
-    "sidekiq_memory_max" : "1Gi"
-
+    "sidekiq_memory_max" : "1Gi",
+    "dsi_hostname": "development.schoolexperience.education.gov.uk"
 }
diff --git a/terraform/aks/config/production.tfvars.json b/terraform/aks/config/production.tfvars.json
index 76c15bb002..b80badfdba 100644
--- a/terraform/aks/config/production.tfvars.json
+++ b/terraform/aks/config/production.tfvars.json
@@ -23,5 +23,6 @@
         "website_url": [ "https://get-school-experience-production.teacherservices.cloud/healthcheck.json" ],
         "contact_group": [282783]
       }
-    }
+    },
+    "dsi_hostname": "schoolexperience.education.gov.uk"
 }
diff --git a/terraform/aks/config/review.tfvars.json b/terraform/aks/config/review.tfvars.json
index a383f9efa3..cb5098db9f 100644
--- a/terraform/aks/config/review.tfvars.json
+++ b/terraform/aks/config/review.tfvars.json
@@ -16,5 +16,6 @@
     "review_url_redis_name": "review-redis-url",
     "statuscake_password_name": "SC-PASSWORD",
     "sidekiq_replicas" : 1,
-    "sidekiq_memory_max" : "1Gi"
+    "sidekiq_memory_max" : "1Gi",
+    "create_dsi_ingress": true
 }
diff --git a/terraform/aks/config/staging.tfvars.json b/terraform/aks/config/staging.tfvars.json
index eb55318fe5..2a5878cfc4 100644
--- a/terraform/aks/config/staging.tfvars.json
+++ b/terraform/aks/config/staging.tfvars.json
@@ -14,5 +14,6 @@
           "website_url": [ "https://get-school-experience-staging.test.teacherservices.cloud/healthcheck.json" ],
           "contact_group": [282783]
         }
-      }
+      },
+    "dsi_hostname": "staging.schoolexperience.education.gov.uk"
 }
diff --git a/terraform/aks/variables.tf b/terraform/aks/variables.tf
index dcd52c0c07..c55ee3d4b3 100644
--- a/terraform/aks/variables.tf
+++ b/terraform/aks/variables.tf
@@ -141,6 +141,7 @@ variable "review_url_redis_name" {
   default     = null
   description = "The name of the secret storing review redis url"
 }
+
 variable "statuscake_password_name" {
   default     = "SC-PASSWORD"
   description = "The name of the statuscake password"
@@ -149,9 +150,12 @@ variable "dsi_hostname" {
   description = "The static hostname for DFE sign-in "
   default = ""
 }
+variable "create_dsi_ingress" {
+  description = "Optional additional ingress for DSI hostname when front door is not used"
+  default = false
+}
 locals {
   azure_credentials = try(jsondecode(var.azure_credentials_json), null)
   postgres_ssl_mode = var.enable_postgres_ssl ? "require" : "disable"
   app_name_suffix   = var.app_name == null ? var.environment : var.app_name
-  web_external_hostnames = var.dsi_hostname == "" ? [] : [var.dsi_hostname]
 }