diff --git a/modules/postgres-restore/download_sg.tf b/modules/postgres-restore/download_sg.tf
new file mode 100644
index 00000000..efcca3df
--- /dev/null
+++ b/modules/postgres-restore/download_sg.tf
@@ -0,0 +1,20 @@
+resource "aws_security_group" "migrate_download_task" {
+  name        = "${var.resource_name_prefixes.normal}:PGRESTORE:${upper(var.restore_name)}:ECSTASK:DOWNLOAD"
+  description = "Restore Download task"
+  vpc_id      = var.vpc_id
+
+  tags = {
+    Name = "${var.resource_name_prefixes.normal}:PGRESTORE:${upper(var.restore_name)}:ECSTASK:DOWNLOAD"
+  }
+}
+
+resource "aws_security_group_rule" "migrate_download_task_https_out_anywhere" {
+  cidr_blocks       = ["0.0.0.0/0"]
+  description       = "Allow https out from download task to anywhere"
+  from_port         = 443
+  protocol          = "tcp"
+  security_group_id = aws_security_group.migrate_download_task.id
+  to_port           = 443
+  type              = "egress"
+}
+
diff --git a/modules/postgres-restore/download_task.tf b/modules/postgres-restore/download_task.tf
new file mode 100644
index 00000000..7a959ba7
--- /dev/null
+++ b/modules/postgres-restore/download_task.tf
@@ -0,0 +1,49 @@
+module "download_task" {
+  source = "../../resource-groups/ecs-fargate-task-definition"
+
+  aws_account_id = var.aws_account_id
+  aws_region     = var.aws_region
+  container_definitions = {
+    pg_dump = {
+      cpu                   = var.download_task_cpu
+      environment_variables = []
+      essential             = true
+      healthcheck_command   = null
+      image                 = var.cf_config.cf_cli_docker_image
+      memory                = var.download_task_memory
+      mounts = [
+        {
+          mount_point = "/mnt/efs0"
+          read_only   = false
+          volume_name = "efs0"
+        }
+      ]
+      # N.B. $DUMP_FILENAME is injected by the Step Function task
+      override_command = [
+        "sh", "-c",
+        "apk update && apk add --no-cache postgresql-client && cf install-plugin -f conduit && rm -rf $DUMP_FILENAME && cf login -a ${var.cf_config.api_endpoint} -u $CF_USERNAME -p $CF_PASSWORD -o ${var.cf_config.org} -s ${var.cf_config.space} && cf conduit --app-name ccs-${var.restore_name}-migration-pg-dump-$RANDOM ${var.cf_config.db_service_instance} -- pg_dump -j ${var.download_task_pgdump_workers} -Fd --file $DUMP_FILENAME --no-acl --no-owner"
+      ]
+      port = null
+      # ECS Execution role will need access to these - see aws_iam_role_policy.ecs_execution_role__read_cf_creds_ssm
+      secret_environment_variables = [
+        { "name" : "CF_PASSWORD", "valueFrom" : aws_ssm_parameter.cf_password.arn },
+        { "name" : "CF_USERNAME", "valueFrom" : aws_ssm_parameter.cf_username.arn }
+      ]
+    }
+  }
+  ecs_execution_role_arn = var.ecs_execution_role.arn
+  family_name            = "pg_migrate_${var.restore_name}_download"
+  task_cpu               = var.download_task_cpu
+  task_memory            = var.download_task_memory
+  volumes = [
+    {
+      access_point_id = aws_efs_access_point.db_dump.id
+      file_system_id  = aws_efs_file_system.db_dump.id
+      volume_name     = "efs0"
+    }
+  ]
+
+  depends_on = [
+    aws_efs_mount_target.db_dump
+  ]
+}
diff --git a/modules/postgres-restore/ecs_execution_role_policies.tf b/modules/postgres-restore/ecs_execution_role_policies.tf
new file mode 100644
index 00000000..f03c724b
--- /dev/null
+++ b/modules/postgres-restore/ecs_execution_role_policies.tf
@@ -0,0 +1,18 @@
+# Permissions which need to be granted to the main project's ECS Execution role
+#
+data "aws_iam_policy_document" "restore_policy" {
+  version = "2012-10-17"
+  # We are expecting repeated Sids of "DescribeAllLogGroups", hence `overwrite` rather than `source`
+  override_policy_documents = [
+    # Main ECS execution role needs access to decrypt and inject SSM params as env vars
+    # module.table_rows_target.write_task_logs_policy_document_json,
+    module.download_task.write_task_logs_policy_document_json,
+    module.restore_task.write_task_logs_policy_document_json,
+  ]
+}
+
+resource "aws_iam_role_policy" "ecs_execution_role__restore_policy" {
+  name   = "${var.restore_name}-restore-policy"
+  role   = var.ecs_execution_role.name
+  policy = data.aws_iam_policy_document.restore_policy.json
+}
diff --git a/modules/postgres-restore/efs.tf b/modules/postgres-restore/efs.tf
new file mode 100644
index 00000000..023eed52
--- /dev/null
+++ b/modules/postgres-restore/efs.tf
@@ -0,0 +1,109 @@
+resource "aws_efs_file_system" "db_restore" {
+  encrypted = true
+
+  tags = {
+    "Name" = "${var.resource_name_prefixes.normal}:PGRESTORE:${upper(var.restore_name)}"
+    "TYPE" = "EFS"
+  }
+
+  throughput_mode = "elastic"
+}
+
+resource "aws_efs_access_point" "db_restore" {
+  file_system_id = aws_efs_file_system.db_restore.id
+
+  posix_user {
+    gid = 0
+    uid = 0
+  }
+
+  root_directory {
+    creation_info {
+      owner_gid   = 0
+      owner_uid   = 0
+      permissions = "700"
+    }
+    path = "/pgmigrate"
+  }
+
+  tags = {
+    "Name" = "${var.resource_name_prefixes.normal}:PGRESTORE:${upper(var.restore_name)}"
+  }
+}
+
+resource "aws_efs_file_system_policy" "db_restore" {
+  file_system_id = aws_efs_file_system.db_restore.id
+
+  policy = <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "AllowAccessViaMountTarget",
+            "Effect": "Allow",
+            "Principal": {
+                "AWS": "*"
+            },
+            "Action": [
+                "elasticfilesystem:ClientMount",
+                "elasticfilesystem:ClientRootAccess",
+                "elasticfilesystem:ClientWrite"
+            ],
+            "Condition": {
+                "Bool": {
+                    "elasticfilesystem:AccessedViaMountTarget": "true"
+                }
+            },
+            "Resource" : "${aws_efs_file_system.db_restore.arn}"
+        }
+    ]
+}
+EOF
+}
+
+resource "aws_efs_mount_target" "db_restore" {
+  for_each        = var.efs_subnet_ids
+  file_system_id  = aws_efs_file_system.db_restore.id
+  security_groups = [aws_security_group.db_restore_fs.id]
+  subnet_id       = each.value
+}
+
+resource "aws_security_group" "db_restore_fs" {
+  name        = "${var.resource_name_prefixes.normal}:PGRESTORE:${upper(var.restore_name)}:EFS"
+  description = "FS for db dump during Postgres migration process"
+  vpc_id      = var.vpc_id
+
+  tags = {
+    "Name" = "${var.resource_name_prefixes.normal}:PGRESTORE:${upper(var.restore_name)}:EFS"
+  }
+}
+
+resource "aws_security_group" "db_restore_fs_clients" {
+  name        = "${var.resource_name_prefixes.normal}:PGRESTORE:${upper(var.restore_name)}:EFS:CLIENTS"
+  description = "Entities permitted to access the EFS filesystem"
+  vpc_id      = var.vpc_id
+
+  tags = {
+    Name = "${var.resource_name_prefixes.normal}:PGRESTORE:${upper(var.restore_name)}:EFS:CLIENTS"
+  }
+}
+
+resource "aws_security_group_rule" "db_restore_fs_clients_nfs_out" {
+  description              = "Allow NFS outwards from filesystem clients to filesystem"
+  from_port                = 2049
+  protocol                 = "tcp"
+  security_group_id        = aws_security_group.db_restore_fs_clients.id
+  source_security_group_id = aws_security_group.db_restore_fs.id
+  to_port                  = 2049
+  type                     = "egress"
+}
+
+resource "aws_security_group_rule" "db_restore_fs_efs_in" {
+  description              = "Allow NFS inwards from filesystem clients to filesystem"
+  from_port                = 2049
+  protocol                 = "tcp"
+  security_group_id        = aws_security_group.db_restore_fs.id
+  source_security_group_id = aws_security_group.db_restore_fs_clients.id
+  to_port                  = 2049
+  type                     = "ingress"
+}
diff --git a/modules/postgres-restore/main.tf b/modules/postgres-restore/main.tf
new file mode 100644
index 00000000..dee17a26
--- /dev/null
+++ b/modules/postgres-restore/main.tf
@@ -0,0 +1,235 @@
+resource "aws_sfn_state_machine" "perform_migration" {
+  name     = "perform-${var.restore_name}-postgres-migration"
+  role_arn = aws_iam_role.sfn_perform_migration.arn
+
+  definition = <<EOF
+{
+  "Comment": "Migrate a PG database from CF to RDS: ${var.restore_name}",
+  "StartAt": "Set RunOnceOnly lock",
+  "States": {
+    "Set RunOnceOnly lock": {
+      "Type": "Task",
+      "Resource": "arn:aws:states:::aws-sdk:dynamodb:putItem",
+      "Parameters": {
+        "TableName": "${aws_dynamodb_table.restore_lock.name}",
+        "Item": {
+          "Locked": {
+            "S": "LOCKED"
+          }
+        },
+        "ConditionExpression": "attribute_not_exists(Locked)"
+      },
+      "ResultPath": null,
+      "Next": "Get Table Row Counts and Estimates from Source"
+    },
+    "Get Table Row Counts and Estimates from Source": {
+      "Type": "Task",
+      "Resource": "arn:aws:states:::ecs:runTask.sync",
+      "Parameters": {
+        "Cluster": "${var.ecs_cluster_arn}",
+        "TaskDefinition": "${module.table_rows_source.task_definition_arn}",
+        "NetworkConfiguration": {
+          "AwsvpcConfiguration": {
+            "AssignPublicIp": "DISABLED",
+            "SecurityGroups.$": "States.Array('${aws_security_group.migrate_download_task.id}')",
+            "Subnets": ["${var.subnet_id}"]
+          }
+        }
+      },
+      "ResultPath": null,
+      "Next": "Download PG dump from CF"
+    },
+    "Download PG dump from CF": {
+      "Type": "Task",
+      "Resource": "arn:aws:states:::ecs:runTask.sync",
+      "Parameters": {
+        "Cluster": "${var.ecs_cluster_arn}",
+        "TaskDefinition": "${module.download_task.task_definition_arn}",
+        "NetworkConfiguration": {
+          "AwsvpcConfiguration": {
+            "AssignPublicIp": "DISABLED",
+            "SecurityGroups.$": "States.Array('${aws_security_group.migrate_download_task.id}', '${aws_security_group.db_restore_fs_clients.id}')",
+            "Subnets": ["${var.subnet_id}"]
+          }
+        },
+        "Overrides": {
+          "ContainerOverrides": [
+            {
+              "Name": "pg_dump",
+              "Environment": [
+                {
+                  "Name": "DUMP_FILENAME",
+                  "Value": "/mnt/efs0/${var.restore_name}.dir"
+                }
+              ]
+            }
+          ]
+        }
+      },
+      "ResultPath": null,
+      "Next": "Restore PG dump into RDS"
+    },
+    "Restore PG dump into RDS": {
+      "Type": "Task",
+      "Resource": "arn:aws:states:::ecs:runTask.sync",
+      "Parameters": {
+        "Cluster": "${var.ecs_cluster_arn}",
+        "TaskDefinition": "${module.restore_task.task_definition_arn}",
+        "NetworkConfiguration": {
+          "AwsvpcConfiguration": {
+            "AssignPublicIp": "DISABLED",
+            "SecurityGroups.$": "States.Array('${aws_security_group.migrate_restore_task.id}', '${aws_security_group.db_restore_fs_clients.id}', '${var.db_clients_security_group_id}')",
+            "Subnets": ["${var.subnet_id}"]
+          }
+        },
+        "Overrides": {
+          "ContainerOverrides": [
+            {
+              "Name": "pg_restore",
+              "Environment": [
+                {
+                  "Name": "DUMP_FILENAME",
+                  "Value": "/mnt/efs0/${var.restore_name}.dir"
+                }
+              ]
+            }
+          ]
+        }
+      },
+      "ResultPath": null,
+      "Next": "Get Table Row Counts and Estimates from Target"
+    },
+    "Get Table Row Counts and Estimates from Target": {
+      "Type": "Task",
+      "Resource": "arn:aws:states:::ecs:runTask.sync",
+      "Parameters": {
+        "Cluster": "${var.ecs_cluster_arn}",
+        "TaskDefinition": "${module.table_rows_target.task_definition_arn}",
+        "NetworkConfiguration": {
+          "AwsvpcConfiguration": {
+            "AssignPublicIp": "DISABLED",
+            "SecurityGroups.$": "States.Array('${aws_security_group.migrate_restore_task.id}', '${var.db_clients_security_group_id}')",
+            "Subnets": ["${var.subnet_id}"]
+          }
+        }
+      },
+      "ResultPath": null,
+      "End": true
+    }
+  }
+}
+EOF
+
+  depends_on = [
+    # Some of the permissions are needed _at Terraform apply time_ hence the explicit dependency
+    aws_iam_role_policy.sfn_perform_migration,
+  ]
+
+  tags = {
+    GPaasPostgresRestoreName = var.restore_name
+  }
+}
+
+resource "aws_iam_role" "sfn_perform_migration" {
+  name = "perform-${var.restore_name}-migration-sfn"
+
+  assume_role_policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = [
+      {
+        Action = "sts:AssumeRole"
+        Effect = "Allow"
+        Sid    = ""
+        Principal = {
+          Service = "states.amazonaws.com"
+        }
+      }
+    ]
+  })
+}
+
+data "aws_iam_policy_document" "sfn_perform_migration" {
+  version = "2012-10-17"
+
+  statement {
+    sid = "AllowPassEcsExecRole"
+
+    effect = "Allow"
+
+    actions = [
+      "iam:GetRole",
+      "iam:PassRole"
+    ]
+
+    resources = [
+      var.ecs_execution_role.arn,
+    ]
+  }
+
+  statement {
+    sid = "AllowPutRestoreLockItem"
+
+    effect = "Allow"
+
+    actions = [
+      "dynamodb:PutItem"
+    ]
+
+    resources = [
+      aws_dynamodb_table.restore_lock.arn
+    ]
+  }
+
+  statement {
+    sid = "AllowRunRestoreTasks"
+
+    effect = "Allow"
+
+    actions = [
+      "ecs:RunTask"
+    ]
+
+    resources = [
+      "${module.table_rows_source.task_definition_arn_without_revision}:*",
+      "${module.table_rows_target.task_definition_arn_without_revision}:*",
+      "${module.download_task.task_definition_arn_without_revision}:*",
+      "${module.restore_task.task_definition_arn_without_revision}:*"
+    ]
+  }
+
+  statement {
+    sid = "AllowStopRestoreTasks"
+
+    effect = "Allow"
+
+    actions = [
+      "ecs:DescribeTasks",
+      "ecs:StopTask"
+    ]
+
+    resources = [
+      "*"
+    ]
+  }
+
+  statement {
+    sid = "AllowDotSyncExecutionOfEcsTasks"
+
+    effect = "Allow"
+
+    actions = [
+      "events:DescribeRule",
+      "events:PutRule",
+      "events:PutTargets"
+    ]
+
+    resources = [
+      "arn:aws:events:${var.aws_region}:${var.aws_account_id}:rule/StepFunctionsGetEventsForECSTaskRule"
+    ]
+  }
+}
+
+resource "aws_iam_role_policy" "sfn_perform_migration" {
+  role   = aws_iam_role.sfn_perform_migration.name
+  policy = data.aws_iam_policy_document.sfn_perform_migration.json
+}
diff --git a/modules/postgres-restore/providers.tf b/modules/postgres-restore/providers.tf
new file mode 100644
index 00000000..8912fbb9
--- /dev/null
+++ b/modules/postgres-restore/providers.tf
@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">=5.26.0"
+    }
+  }
+}
diff --git a/modules/postgres-restore/restore_sg.tf b/modules/postgres-restore/restore_sg.tf
new file mode 100644
index 00000000..2c5dafad
--- /dev/null
+++ b/modules/postgres-restore/restore_sg.tf
@@ -0,0 +1,19 @@
+resource "aws_security_group" "migrate_restore_task" {
+  name        = "${var.resource_name_prefixes.normal}:PGRESTORE:${upper(var.restore_name)}:ECSTASK:RESTORE"
+  description = "Restore Restore task"
+  vpc_id      = var.vpc_id
+
+  tags = {
+    Name = "${var.resource_name_prefixes.normal}:PGRESTORE:${upper(var.restore_name)}:ECSTASK:RESTORE"
+  }
+}
+
+resource "aws_security_group_rule" "migrate_restore_task_https_out_anywhere" {
+  cidr_blocks       = ["0.0.0.0/0"]
+  description       = "Allow https out from restore task to anywhere"
+  from_port         = 443
+  protocol          = "tcp"
+  security_group_id = aws_security_group.migrate_restore_task.id
+  to_port           = 443
+  type              = "egress"
+}
diff --git a/modules/postgres-restore/restore_task.tf b/modules/postgres-restore/restore_task.tf
new file mode 100644
index 00000000..5531dcae
--- /dev/null
+++ b/modules/postgres-restore/restore_task.tf
@@ -0,0 +1,44 @@
+module "restore_task" {
+  source = "../../resource-groups/ecs-fargate-task-definition"
+
+  aws_account_id = var.aws_account_id
+  aws_region     = var.aws_region
+  container_definitions = {
+    pg_restore = {
+      cpu                   = var.restore_task_cpu
+      environment_variables = []
+      essential             = true
+      healthcheck_command   = null
+      image                 = var.postgres_docker_image
+      memory                = var.restore_task_memory
+      mounts = [
+        {
+          mount_point = "/mnt/efs0"
+          read_only   = false
+          volume_name = "efs0"
+        }
+      ]
+      # N.B. $DUMP_FILENAME is injected by the Step Function task
+      override_command = [
+        "sh", "-c",
+        "pg_restore --clean --if-exists -d $DB_CONNECTION_URL -j ${var.restore_task_pgrestore_workers} --no-acl --no-owner $DUMP_FILENAME"
+      ]
+      port = null
+      secret_environment_variables = [
+        { "name" : "DB_CONNECTION_URL", "valueFrom" : var.target_db_connection_url_ssm_param_arn }
+      ]
+
+    }
+  }
+  ecs_execution_role_arn = var.ecs_execution_role.arn
+  family_name            = "pg_migrate_${var.restore_name}_restore"
+  task_cpu               = var.restore_task_cpu
+  task_memory            = var.restore_task_memory
+  volumes = [
+    {
+      access_point_id = aws_efs_access_point.db_restore.id
+      file_system_id  = aws_efs_file_system.db_restore.id
+      volume_name     = "efs0"
+    }
+  ]
+}
diff --git a/modules/postgres-restore/user_iam_permissions.tf b/modules/postgres-restore/user_iam_permissions.tf
new file mode 100644
index 00000000..1f18d42e
--- /dev/null
+++ b/modules/postgres-restore/user_iam_permissions.tf
@@ -0,0 +1,60 @@
+# Helper group to enable operatives to run this restore
+resource "aws_iam_group" "run_restore" {
+  name = "run-${var.restore_name}-postgres-restore"
+}
+
+data "aws_iam_policy_document" "run_restore" {
+  version = "2012-10-17"
+
+  statement {
+    sid = "AllowGetTaggedResources"
+
+    effect = "Allow"
+
+    actions = [
+      "tag:GetResources",
+    ]
+
+    resources = [
+      "*"
+    ]
+  }
+
+  statement {
+    sid = "AllowStartPerformMigrationSfn"
+
+    effect = "Allow"
+
+    actions = [
+      "states:StartExecution",
+    ]
+
+    resources = [
+      aws_sfn_state_machine.perform_migration.arn
+    ]
+  }
+
+  statement {
+    sid = "AllowDescribePerformMigrationSfnExecution"
+
+    effect = "Allow"
+
+    actions = [
+      "states:DescribeExecution",
+    ]
+
+    resources = [
+      "${replace(aws_sfn_state_machine.perform_migration.arn, "stateMachine", "execution")}:*"
+    ]
+  }
+}
+
+resource "aws_iam_policy" "run_restore" {
+  name   = "run-${var.restore_name}-postgres-restore"
+  policy = data.aws_iam_policy_document.run_restore.json
+}
+
+resource "aws_iam_group_policy_attachment" "run_restore" {
+  group      = aws_iam_group.run_restore.name
+  policy_arn = aws_iam_policy.run_restore.arn
+}
diff --git a/modules/postgres-restore/variables.tf b/modules/postgres-restore/variables.tf
new file mode 100644
index 00000000..621293bb
--- /dev/null
+++ b/modules/postgres-restore/variables.tf
@@ -0,0 +1,110 @@
+variable "aws_account_id" {
+  type        = string
+  description = "ID of the account into which deployments are performed"
+}
+
+variable "aws_region" {
+  type        = string
+  description = "Region for resource deployment"
+}
+
+variable "count_rows_tables" {
+  type        = set(string)
+  default     = []
+  description = "Tables for which to do an accurate row count. Use for tables under ~10GB in size."
+}
+
+variable "db_clients_security_group_id" {
+  type        = string
+  description = "ID of VPC security group, membership of which allows access to the Postgres db"
+}
+
+variable "ecs_cluster_arn" {
+  type        = string
+  description = "ARN of cluster into which tasks will be deployed"
+}
+
+variable "ecs_execution_role" {
+  type = object({
+    arn  = string
+    name = string
+  })
+  description = "Details of the role which is assumed by the ECS execution processes"
+}
+
+variable "efs_subnet_ids" {
+  type        = set(string)
+  default     = []
+  description = "IDs of the subnest in which to create the EFS mount points"
+}
+
+variable "estimate_rows_tables" {
+  type        = set(string)
+  default     = []
+  description = "Tables for which to do an estimated row count. Use for tables over ~10GB in size."
+}
+
+variable "download_task_cpu" {
+  type        = number
+  default     = 4096
+  description = "CPU resource to allocate to the download task, in millicores"
+}
+
+variable "download_task_memory" {
+  type        = number
+  default     = 8192
+  description = "Memory resource to allocate to the download task, in MiB"
+}
+
+variable "restore_task_cpu" {
+  type        = number
+  default     = 8192
+  description = "CPU resource to allocate to the restore task, in millicores"
+}
+
+variable "restore_task_memory" {
+  type        = number
+  default     = 16384
+  description = "Memory resource to allocate to the restore task, in MiB"
+}
+
+variable "restore_task_pgrestore_workers" {
+  type        = number
+  default     = 8
+  description = "Number of pgrestore workers, one per CPU core"
+}
+
+variable "restore_name" {
+  description = "A name to distinguish this restore"
+  type        = string
+}
+
+variable "postgres_docker_image" {
+  type        = string
+  description = "Canonical name of the Docker image from which to run psql"
+}
+
+variable "resource_name_prefixes" {
+  type = object({
+    normal        = string,
+    hyphens       = string,
+    hyphens_lower = string
+  })
+  description = "Prefix to apply to resources in AWS; options provided to satisfy divergent naming requirements across AWS"
+}
+
+# The migration processes are singular - we don't need multi-AZ here
+variable "subnet_id" {
+  type        = string
+  description = "ID of the subnet in which to run the download/restore ECS tasks and also in which to present the EFS mount point"
+}
+
+variable "target_db_connection_url_ssm_param_arn" {
+  type        = string
+  description = "ARN of SSM param which contains the connection URL for the target Postgres database"
+}
+
+variable "vpc_id" {
+  type        = string
+  description = "ID of the VPC into which to deploy the resources"
+}