diff --git a/.erdconfig b/.erdconfig
new file mode 100644
index 00000000000..d7d6f323776
--- /dev/null
+++ b/.erdconfig
@@ -0,0 +1,9 @@
+title: login.gov IdP entity-relationship diagram
+notation: bachman
+filename: idp_erd
+filetype: svg
+attributes:
+    - primary_keys
+    - foreign_keys
+    - content
+sort: false
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 0dfcf3388a2..8b55b1411ae 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -8,7 +8,7 @@ variables:
   FF_SCRIPT_SECTIONS: 'true'
   JUNIT_OUTPUT: 'true'
   ECR_REGISTRY: '${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com'
-  IDP_CI_SHA: 'sha256:5c4953f8efba18b7a6d6a9a961cb77ba7143059cbb2176499432b4275fbe67db'
+  IDP_CI_SHA: 'sha256:1585fc477567198748d3adba75120fd501d89f68844bfeeee4f96f9fd80ff4a5'
   PKI_IMAGE_TAG: 'main'
   DASHBOARD_IMAGE_TAG: 'main'
   APPLICATION_MANIFEST: dockerfiles/application.yaml
@@ -746,3 +746,31 @@ deploy_eks:
     IMAGE_TAG: $CI_COMMIT_SHA
   rules:
     - if: $CI_COMMIT_BRANCH == "main"
+
+publish_er_diagram:
+  stage: .post
+  needs:
+    - job: build-ci-image
+  variables:
+    DOCKER_DB_HOST: db-postgres
+    POSTGRES_DB: identity_idp_test
+    POSTGRES_USER: postgres_user
+    POSTGRES_PASSWORD: postgres_password
+    POSTGRES_HOST_AUTH_METHOD: trust
+    RAILS_ENV: test
+  services:
+    - name: public.ecr.aws/docker/library/postgres:16.4
+      alias: db-postgres
+      command: ['--fsync=false', '--synchronous_commit=false', '--full_page_writes=false']
+  cache:
+    - <<: *ruby_cache
+  rules:
+    - if: $CI_COMMIT_BRANCH == "main"
+    - if: $CI_COMMIT_BRANCH == "vm-reinstate-erd"
+  script:
+    - *bundle_install
+    - bundle exec rake db:create db:migrate --trace
+    - bundle exec rails erd
+  artifacts:
+    paths:
+      - idp_erd.svg
diff --git a/Gemfile b/Gemfile
index ee19f1969e6..ef22ea502a2 100644
--- a/Gemfile
+++ b/Gemfile
@@ -116,6 +116,7 @@ group :development, :test do
   gem 'pry-doc'
   gem 'pry-rails'
   gem 'psych'
+  gem 'rails-erd'
   gem 'rspec', '~> 3.13.0'
   gem 'rspec-rails', '~> 7.0'
   gem 'rubocop', '~> 1.69.1', require: false
diff --git a/Gemfile.lock b/Gemfile.lock
index 037d8d04e17..b3da7b0bd4e 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -253,6 +253,7 @@ GEM
       nokogiri (~> 1.10, >= 1.10.4)
       rubyzip (>= 1.3.0, < 3)
     cbor (0.5.9.8)
+    choice (0.2.0)
     chunky_png (1.4.0)
     coderay (1.1.3)
     coercible (1.0.0)
@@ -544,6 +545,11 @@ GEM
       activesupport (>= 5.0.0)
       minitest
       nokogiri (>= 1.6)
+    rails-erd (1.7.2)
+      activerecord (>= 4.2)
+      activesupport (>= 4.2)
+      choice (~> 0.2.0)
+      ruby-graphviz (~> 1.2)
     rails-html-sanitizer (1.6.1)
       loofah (~> 2.21)
       nokogiri (>= 1.15.7, != 1.16.7, != 1.16.6, != 1.16.5, != 1.16.4, != 1.16.3, != 1.16.2, != 1.16.1, != 1.16.0.rc1, != 1.16.0)
@@ -634,6 +640,8 @@ GEM
       rubocop-ast (>= 1.31.1, < 2.0)
     rubocop-rspec (3.2.0)
       rubocop (~> 1.61)
+    ruby-graphviz (1.2.5)
+      rexml
     ruby-progressbar (1.13.0)
     ruby-saml (1.17.0)
       nokogiri (>= 1.13.10)
@@ -833,6 +841,7 @@ DEPENDENCIES
   rack_session_access (>= 0.2.0)
   rails (~> 7.2.1)
   rails-controller-testing (>= 1.0.4)
+  rails-erd
   redacted_struct
   redis (>= 3.2.0)
   redis-session-store!
diff --git a/dockerfiles/idp_ci.Dockerfile b/dockerfiles/idp_ci.Dockerfile
index d09f0814808..5c378d0ecb4 100644
--- a/dockerfiles/idp_ci.Dockerfile
+++ b/dockerfiles/idp_ci.Dockerfile
@@ -21,6 +21,7 @@ RUN apt-get update -qq && \
     nodejs \
     locales \
     google-chrome-stable \
+    graphviz \
     yarn
 
 RUN curl -Ss "https://storage.googleapis.com/chrome-for-testing-public/$(google-chrome --version | grep -Po '\d+\.\d+\.\d+\.\d+' | tr -d '\n')/linux64/chromedriver-linux64.zip" > /tmp/chromedriver.zip && \