diff --git a/.gitignore b/.gitignore
new file mode 100644
index 000000000..8ce0778a0
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,5 @@
+# Terraform
+terraform.tfstate
+terraform.tfstate.*
+.terraform/
+
diff --git a/terraform/aws/provider.tf b/terraform/aws/provider.tf
new file mode 100644
index 000000000..481a7e478
--- /dev/null
+++ b/terraform/aws/provider.tf
@@ -0,0 +1,15 @@
+terraform {
+  required_version = ">= 1.3.0"
+
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+  }
+}
+
+provider "aws" {
+  region = "ap-southeast-2"
+}
+
diff --git a/terraform/aws/security_groups.tf b/terraform/aws/security_groups.tf
new file mode 100644
index 000000000..540a27224
--- /dev/null
+++ b/terraform/aws/security_groups.tf
@@ -0,0 +1,58 @@
+# -----------------------
+# Security Group for ALB
+# -----------------------
+resource "aws_security_group" "alb_sg" {
+  name        = "alb-security-group"
+  description = "Allow HTTP inbound traffic"
+  vpc_id      = aws_vpc.main.id
+
+  ingress {
+    description = "Allow HTTP from Internet"
+    from_port   = 80
+    to_port     = 80
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    description = "Allow all outbound traffic"
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = {
+    Name = "alb-sg"
+  }
+}
+
+# -----------------------
+# Security Group for ECS Tasks
+# -----------------------
+resource "aws_security_group" "ecs_sg" {
+  name        = "ecs-security-group"
+  description = "Allow traffic from ALB only"
+  vpc_id      = aws_vpc.main.id
+
+  ingress {
+    description     = "Allow traffic from ALB"
+    from_port       = 8000
+    to_port         = 8000
+    protocol        = "tcp"
+    security_groups = [aws_security_group.alb_sg.id]
+  }
+
+  egress {
+    description = "Allow all outbound traffic"
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = {
+    Name = "ecs-sg"
+  }
+}
+
diff --git a/terraform/aws/variables.tf b/terraform/aws/variables.tf
new file mode 100644
index 000000000..d9d51c4e1
--- /dev/null
+++ b/terraform/aws/variables.tf
@@ -0,0 +1,47 @@
+variable "aws_region" {
+  description = "AWS region"
+  type        = string
+  default     = "ap-southeast-2"
+}
+
+variable "vpc_cidr" {
+  description = "CIDR block for VPC"
+  type        = string
+  default     = "10.0.0.0/16"
+}
+
+variable "app_name" {
+  description = "Application name"
+  type        = string
+  default     = "devops-backend"
+}
+
+variable "container_port" {
+  description = "Container port"
+  type        = number
+  default     = 8000
+}
+
+variable "container_cpu" {
+  description = "CPU units for container"
+  type        = number
+  default     = 256
+}
+
+variable "container_memory" {
+  description = "Memory for container (MB)"
+  type        = number
+  default     = 512
+}
+
+variable "alert_email" {
+  description = "Email address to receive CloudWatch alerts"
+  type        = string
+}
+
+variable "app_secret_value" {
+  description = "Secret value for backend (example)"
+  type        = string
+  sensitive   = true
+}
+
diff --git a/terraform/aws/vpc.tf b/terraform/aws/vpc.tf
new file mode 100644
index 000000000..8abb8e6ce
--- /dev/null
+++ b/terraform/aws/vpc.tf
@@ -0,0 +1,81 @@
+# -----------------------
+# VPC
+# -----------------------
+resource "aws_vpc" "main" {
+  cidr_block           = var.vpc_cidr
+  enable_dns_support   = true
+  enable_dns_hostnames = true
+
+  tags = {
+    Name = "devops-vpc"
+  }
+}
+
+# -----------------------
+# Internet Gateway
+# -----------------------
+resource "aws_internet_gateway" "igw" {
+  vpc_id = aws_vpc.main.id
+
+  tags = {
+    Name = "devops-igw"
+  }
+}
+
+# -----------------------
+# Public Subnet 1
+# -----------------------
+resource "aws_subnet" "public_1" {
+  vpc_id                  = aws_vpc.main.id
+  cidr_block              = "10.0.1.0/24"
+  availability_zone       = "ap-southeast-2a"
+  map_public_ip_on_launch = true
+
+  tags = {
+    Name = "public-subnet-1"
+  }
+}
+
+# -----------------------
+# Public Subnet 2
+# -----------------------
+resource "aws_subnet" "public_2" {
+  vpc_id                  = aws_vpc.main.id
+  cidr_block              = "10.0.2.0/24"
+  availability_zone       = "ap-southeast-2b"
+  map_public_ip_on_launch = true
+
+  tags = {
+    Name = "public-subnet-2"
+  }
+}
+
+# -----------------------
+# Route Table
+# -----------------------
+resource "aws_route_table" "public" {
+  vpc_id = aws_vpc.main.id
+
+  route {
+    cidr_block = "0.0.0.0/0"
+    gateway_id = aws_internet_gateway.igw.id
+  }
+
+  tags = {
+    Name = "public-route-table"
+  }
+}
+
+# -----------------------
+# Route Table Associations
+# -----------------------
+resource "aws_route_table_association" "public_1" {
+  subnet_id      = aws_subnet.public_1.id
+  route_table_id = aws_route_table.public.id
+}
+
+resource "aws_route_table_association" "public_2" {
+  subnet_id      = aws_subnet.public_2.id
+  route_table_id = aws_route_table.public.id
+}
+