diff --git a/services/terraform/modules/shared/outputs.tf b/services/terraform/modules/shared/outputs.tf
--- a/services/terraform/modules/shared/outputs.tf
+++ b/services/terraform/modules/shared/outputs.tf
@@ -4,6 +4,7 @@
     aws_dynamodb_table.backup-service-backup,
     aws_dynamodb_table.reports-service-reports,
     aws_dynamodb_table.tunnelbroker-undelivered-messages,
+    aws_dynamodb_table.identity-users,
   ]
 }
 
@@ -13,4 +14,4 @@
     for table in local.exported_dynamodb_tables :
     table.name => table
   }
-}
+}
\ No newline at end of file
diff --git a/services/terraform/modules/shared/search_index_lambda.tf b/services/terraform/modules/shared/search_index_lambda.tf
new file mode 100644
--- /dev/null
+++ b/services/terraform/modules/shared/search_index_lambda.tf
@@ -0,0 +1,115 @@
+variable iam_role_arn {
+  default = "arn:aws:iam::000000000000:role/lambda-role"
+}
+
+variable lambda_zip_dir {
+  type = string
+  # default = "${path.module}/../../../search-index-lambda/target/lambda/search-index-lambda"
+  default = "../../search-index-lambda/target/lambda/search-index-lambda"
+}
+
+# data "archive_file" "lambda_zip" {
+#   type        = "zip"
+#   source_dir  = var.lambda_zip_dir
+#   output_path = "${var.lambda_zip_dir}/bootstrap.zip"
+# }
+
+resource "aws_lambda_function" "search_index_lambda" {
+  function_name    = "search-index-lambda-function"
+  # filename         = data.archive_file.lambda_zip_file.output_path
+  # filename         = var.lambda_zip_path
+  # filename         = "${path.module}/../../../search-index-lambda/target/lambda/search-index-lambda/bootstrap.zip"
+  filename           = "${var.lambda_zip_dir}/bootstrap.zip"
+  # source_code_hash = "${data.archive_file.lambda_zip.output_base64sha256}"
+  source_code_hash = filebase64sha256("${var.lambda_zip_dir}/bootstrap.zip")
+  handler          = "bootstrap"
+  # role             = aws_iam_role.lambda_assume_role.arn
+  # role             = "arn:aws:iam::000000000000:role/lambda-role"
+  role             = var.iam_role_arn
+  # runtime          = "provided.al2"
+  runtime          = "provided.al2"
+  architectures    = ["arm64"]
+  memory_size      = 5120
+  timeout          = 300
+
+  environment {
+    variables = {
+      RUST_BACKTRACE = "1"
+    }
+  }
+
+  tracing_config {
+    mode = "Active"
+  }
+}
+
+resource "aws_lambda_event_source_mapping" "trigger" {
+  count = var.is_dev ? 0 : 1 
+  event_source_arn  = aws_dynamodb_table.identity-users.stream_arn
+  function_name     = aws_lambda_function.search_index_lambda.arn
+  starting_position = "LATEST"
+}
+
+# data "archive_file" "lambda_zip_file" {
+#   output_path = "${path.module}/lambda_zip/lambda.zip"
+#   source_dir  = "${path.module}/../../../search-index-lambda/target/lambda/bootstrap.zip"
+#   excludes    = ["__init__.py", "*.pyc"]
+#   type        = "zip"
+# }
+
+# resource "aws_lambda_event_source_mapping" "example" {
+#   event_source_arn  = aws_dynamodb_table.dynamodb_table.stream_arn
+#   function_name     = aws_lambda_function.lambda_function.arn
+#   starting_position = "LATEST"
+# }
+
+# resource "aws_iam_role" "lambda_assume_role" {
+#   name               = "lambda-dynamodb-role"
+#   assume_role_policy = <<EOF
+# {
+#   "Version": "2012-10-17",
+#   "Statement": [
+#     {
+#       "Action": "sts:AssumeRole",
+#       "Principal": {
+#         "Service": "lambda.amazonaws.com"
+#       },
+#       "Effect": "Allow",
+#       "Sid": "LambdaAssumeRole"
+#     }
+#   ]
+# }
+# EOF
+# }
+
+# resource "aws_iam_role_policy" "dynamodb_read_log_policy" {
+#   name   = "lambda-dynamodb-log-policy"
+#   role   = aws_iam_role.lambda_assume_role.id
+#   policy = <<EOF
+# {
+#   "Version": "2012-10-17",
+#   "Statement": [
+#     {
+#         "Action": [ "logs:*" ],
+#         "Effect": "Allow",
+#         "Resource": [ "arn:aws:logs:*:*:*" ]
+#     },
+#     {
+#         "Action": [ "dynamodb:BatchGetItem",
+#                     "dynamodb:GetItem",
+#                     "dynamodb:GetRecords",
+#                     "dynamodb:Scan", We will have the recores inside of the lambda function in event `object`. We can also configure the stream to capture additional data such as "before" and "after" images of modified items.
+#                     "dynamodb:Query",
+#                     "dynamodb:GetShardIterator",
+#                     "dynamodb:DescribeStream",
+#                     "dynamodb:ListStreams" ],
+#         "Effect": "Allow",
+#         "Resource": [
+#           "${aws_dynamodb_table.dynamodb_table.arn}",
+#           "${aws_dynamodb_table.dynamodb_table.arn}/*"
+#         ]
+#     }
+#   ]
+# }
+# EOF
+# }
diff --git a/services/terraform/remote/aws_iam.tf b/services/terraform/remote/aws_iam.tf
--- a/services/terraform/remote/aws_iam.tf
+++ b/services/terraform/remote/aws_iam.tf
@@ -194,3 +194,78 @@
     aws_iam_policy.manage_reports_ddb.arn
   ]
 }
+
+
+data "aws_iam_policy_document" "assume_role_lambda" {
+  statement {
+    effect = "Allow"
+
+    principals {
+      type        = "Service"
+      identifiers = ["lambda.amazonaws.com"]
+    }
+
+    actions = ["sts:AssumeRole"]
+  }
+}
+
+resource "aws_iam_role" "search_index_lambda_role" {
+  name               = "search_index_lambda_role"
+  assume_role_policy = data.aws_iam_policy_document.assume_role_lambda.json
+}
+
+data "aws_iam_policy_document" "manage_dynamodb_stream" {
+  statement {
+    effect = "Allow"
+
+    actions = [
+      "dynamodb:GetRecords",
+      "dynamodb:GetShardIterator",
+      "dynamodb:DescribeStream",
+      "dynamodb:ListStreams"
+    ]
+    resources = [
+      module.shared.dynamodb_tables["identity-users"].arn,
+      module.shared.dynamodb_tables["identity-users"].stream_arn,
+      "${module.shared.dynamodb_tables["identity-users"].arn}/stream/*",
+    ]
+  }
+}
+
+resource "aws_iam_policy" "manage_dynamodb_stream" {
+  name        = "manage_dynamodb_stream"
+  path        = "/"
+  description = "IAM policy for managing dynamodb streams"
+  policy      = data.aws_iam_policy_document.manage_dynamodb_stream.json
+}
+
+data "aws_iam_policy_document" "lambda_logging" {
+  statement {
+    effect = "Allow"
+
+    actions = [
+      "logs:CreateLogGroup",
+      "logs:CreateLogStream",
+      "logs:PutLogEvents",
+    ]
+
+    resources = ["arn:aws:logs:*:*:*"]
+  }
+}
+
+resource "aws_iam_policy" "lambda_logging" {
+  name        = "lambda_logging"
+  path        = "/"
+  description = "IAM policy for logging from a lambda"
+  policy      = data.aws_iam_policy_document.lambda_logging.json
+}
+
+resource "aws_iam_role_policy_attachment" "lambda_logs" {
+  role       = "${aws_iam_role.search_index_lambda_role.name}"
+  policy_arn = aws_iam_policy.lambda_logging.arn
+}
+
+resource "aws_iam_role_policy_attachment" "lambda_stream_attach" {
+  role       = "${aws_iam_role.search_index_lambda_role.name}"
+  policy_arn = aws_iam_policy.manage_dynamodb_stream.arn
+}
\ No newline at end of file
diff --git a/services/terraform/remote/aws_vpc.tf b/services/terraform/remote/aws_vpc.tf
--- a/services/terraform/remote/aws_vpc.tf
+++ b/services/terraform/remote/aws_vpc.tf
@@ -42,6 +42,30 @@
   map_public_ip_on_launch = true
 }
 
+resource "aws_vpc_endpoint" "dynamodb_endpoint" {
+  vpc_id = aws_vpc.default.id
+  service_name = "com.amazonaws.us-east-2.dynamodb"
+  vpc_endpoint_type = "Gateway"
+
+  policy = <<POLICY
+  {
+  "Statement": [
+      {
+      "Action": "*",
+      "Effect": "Allow",
+      "Resource": "*",
+      "Principal": "*"
+      }
+  ]
+  }
+  POLICY
+}
+
+resource "aws_vpc_endpoint_route_table_association" "dynamodb_endpoint" {
+  vpc_endpoint_id = "${aws_vpc_endpoint.dynamodb_endpoint.id}"
+  route_table_id  = "${aws_vpc.default.main_route_table_id}"
+}
+
 # These are described in AWS console as:
 # > The following subnets have not been explicitly associated
 # > with any route tables and are therefore associated with the main route table: