diff --git a/infrastructure/modules/container-app-job/main.tf b/infrastructure/modules/container-app-job/main.tf
index 62cc7001..d1e11461 100644
--- a/infrastructure/modules/container-app-job/main.tf
+++ b/infrastructure/modules/container-app-job/main.tf
@@ -71,6 +71,14 @@ resource "azurerm_container_app_job" "this" {
     }
   }
 
+  dynamic "secret" {
+    for_each = var.secret_variables
+    content {
+      name  = replace(lower(secret.key), "_", "-")
+      value = secret.value
+    }
+  }
+
   # Define the container template for the job.
   template {
 
@@ -92,6 +100,7 @@ resource "azurerm_container_app_job" "this" {
           value = env.value
         }
       }
+
       dynamic "env" {
         for_each = var.fetch_secrets_from_app_key_vault ? data.azurerm_key_vault_secrets.app[0].secrets : []
         content {
@@ -102,6 +111,16 @@ resource "azurerm_container_app_job" "this" {
           secret_name = lower(env.value.name)
         }
       }
+
+      dynamic "env" {
+        for_each = var.secret_variables
+        content {
+          # Env vars are uppercase and underscore separated
+          name = upper(replace(env.key, "-", "_"))
+          # app container secrets are lowercase and hyphen separated
+          secret_name = replace(lower(env.key), "_", "-")
+        }
+      }
     }
   }
 
diff --git a/infrastructure/modules/container-app-job/variables.tf b/infrastructure/modules/container-app-job/variables.tf
index c8daa143..df2e55d2 100644
--- a/infrastructure/modules/container-app-job/variables.tf
+++ b/infrastructure/modules/container-app-job/variables.tf
@@ -76,6 +76,12 @@ variable "environment_variables" {
   default     = {}
 }
 
+variable "secret_variables" {
+  description = "Secret environment variables to pass to the container app."
+  type        = map(string)
+  default     = {}
+}
+
 variable "job_parallelism" {
   description = "The number of replicas that can run in parallel."
   type        = number
diff --git a/infrastructure/modules/container-app/main.tf b/infrastructure/modules/container-app/main.tf
index 31e27078..750983ee 100644
--- a/infrastructure/modules/container-app/main.tf
+++ b/infrastructure/modules/container-app/main.tf
@@ -61,6 +61,14 @@ resource "azurerm_container_app" "main" {
     }
   }
 
+  dynamic "secret" {
+    for_each = var.secret_variables
+    content {
+      name  = replace(lower(secret.key), "_", "-")
+      value = secret.value
+    }
+  }
+
   template {
     container {
       name   = var.name
@@ -76,6 +84,15 @@ resource "azurerm_container_app" "main" {
         }
       }
 
+      dynamic "env" {
+        for_each = var.secret_variables
+        content {
+          # Env vars are uppercase and underscore separated
+          name        = upper(replace(env.key, "-", "_"))
+          secret_name = replace(lower(env.key), "_", "-")
+        }
+      }
+
       dynamic "env" {
         for_each = var.fetch_secrets_from_app_key_vault ? data.azurerm_key_vault_secrets.app[0].secrets : []
         content {
@@ -104,8 +121,24 @@ resource "azurerm_container_app" "main" {
 
     content {
       external_enabled           = true
-      target_port                = var.http_port
+      target_port                = var.port
+      allow_insecure_connections = false
+      traffic_weight {
+        percentage      = 100
+        latest_revision = true
+      }
+    }
+  }
+
+  dynamic "ingress" {
+    for_each = var.is_tcp_app ? [1] : []
+
+    content {
+      external_enabled           = true
+      target_port                = var.port
+      exposed_port               = var.port
       allow_insecure_connections = false
+      transport                  = "tcp"
       traffic_weight {
         percentage      = 100
         latest_revision = true
diff --git a/infrastructure/modules/container-app/output.tf b/infrastructure/modules/container-app/output.tf
index 762e1e0e..e90dbed4 100644
--- a/infrastructure/modules/container-app/output.tf
+++ b/infrastructure/modules/container-app/output.tf
@@ -7,3 +7,7 @@ output "url" {
   description = "URL of the container app. Only available if is_web_app is true."
   value       = var.is_web_app ? "https://${azurerm_container_app.main.ingress[0].fqdn}" : ""
 }
+
+output "container_app_fqdn" {
+  value = azurerm_container_app.main.latest_revision_fqdn
+}
diff --git a/infrastructure/modules/container-app/variables.tf b/infrastructure/modules/container-app/variables.tf
index 0dba97cf..55d2828f 100644
--- a/infrastructure/modules/container-app/variables.tf
+++ b/infrastructure/modules/container-app/variables.tf
@@ -52,7 +52,13 @@ variable "docker_image" {
 }
 
 variable "environment_variables" {
-  description = "Environment variables to pass to the container app. Only non-secret variables. Secrets must be stored in key vault 'app_key_vault_id'"
+  description = "Environment variables to pass to the container app. Only non-secret variables. Secrets can be stored in key vault 'app_key_vault_id'"
+  type        = map(string)
+  default     = {}
+}
+
+variable "secret_variables" {
+  description = "Secret environment variables to pass to the container app."
   type        = map(string)
   default     = {}
 }
@@ -69,8 +75,14 @@ variable "is_web_app" {
   default     = false
 }
 
-variable "http_port" {
-  description = "HTTP port for the web app. Default is 8080."
+variable "is_tcp_app" {
+  description = "Is this a TCP app? If true, ingress is enabled."
+  type        = bool
+  default     = false
+}
+
+variable "port" {
+  description = "Port for the ingress. Default is 8080."
   type        = number
   default     = 8080
 }