diff --git a/services/terraform/self-host/aws_lb.tf b/services/terraform/self-host/aws_lb.tf
index b3cd824f5..2ece8a81d 100644
--- a/services/terraform/self-host/aws_lb.tf
+++ b/services/terraform/self-host/aws_lb.tf
@@ -1,88 +1,84 @@
 resource "aws_security_group" "lb_sg" {
   name        = "lb-sg"
   description = "Security group for keyserver load balancer"
   vpc_id      = local.vpc_id
 
   ingress {
     from_port   = 443
     to_port     = 443
     protocol    = "tcp"
     cidr_blocks = ["0.0.0.0/0"]
   }
 
   ingress {
     from_port   = 443
     to_port     = 443
     protocol    = "tcp"
     cidr_blocks = [for ip in var.allowed_ips : "${ip}/32"]
   }
 
   egress {
     from_port   = 0
     to_port     = 0
     protocol    = "-1"
     cidr_blocks = ["0.0.0.0/0"]
   }
 }
 
 resource "aws_lb_target_group" "keyserver_service" {
   name     = "keyserver-service-ecs-tg"
   port     = 3000
   protocol = "HTTP"
   vpc_id   = local.vpc_id
 
   # "awsvpc" network mode requires target type set to ip
   target_type = "ip"
 
   stickiness {
     type            = "lb_cookie"
     cookie_duration = 86500
     enabled         = true
   }
 
   health_check {
     enabled             = true
     healthy_threshold   = 2
     unhealthy_threshold = 3
 
     protocol = "HTTP"
     path     = "/health"
     matcher  = "200-299"
   }
 }
 
 resource "aws_lb" "keyserver_service" {
   load_balancer_type = "application"
   name               = "keyserver-service-lb"
   security_groups    = [aws_security_group.lb_sg.id]
 
   internal = false
   subnets  = local.vpc_subnets
 }
 
 resource "aws_lb_listener" "keyserver_service" {
   load_balancer_arn = aws_lb.keyserver_service.arn
   port              = "443"
   protocol          = "HTTPS"
   ssl_policy        = "ELBSecurityPolicy-2016-08"
   certificate_arn   = data.aws_acm_certificate.keyserver_service.arn
 
   default_action {
     type             = "forward"
     target_group_arn = aws_lb_target_group.keyserver_service.arn
   }
 
   lifecycle {
     ignore_changes       = [default_action[0].forward[0].stickiness[0].duration]
     replace_triggered_by = [aws_lb_target_group.keyserver_service]
   }
 }
 
 data "aws_acm_certificate" "keyserver_service" {
   domain   = var.keyserver_domain_name
   statuses = ["ISSUED"]
 }
-
-output "keyserver_service_load_balancer_dns_name" {
-  value = aws_lb.keyserver_service.dns_name
-}
diff --git a/services/terraform/self-host/outputs.tf b/services/terraform/self-host/outputs.tf
new file mode 100644
index 000000000..c21adc616
--- /dev/null
+++ b/services/terraform/self-host/outputs.tf
@@ -0,0 +1,3 @@
+output "keyserver_service_load_balancer_dns_name" {
+  value = aws_lb.keyserver_service.dns_name
+}