diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
index 0be58ef..208efc1 100644
--- a/.devcontainer/devcontainer.json
+++ b/.devcontainer/devcontainer.json
@@ -7,7 +7,14 @@
 
 	// Fix cmake symlink issue from devcontainers-extra/features/cmake feature
 	// The feature incorrectly symlinks to the bash completion file instead of the binary
-	"postCreateCommand": "sudo rm -f /usr/local/bin/cmake && sudo ln -s /usr/local/lib/cmake/cmake-*/bin/cmake /usr/local/bin/cmake"
+	"postCreateCommand": "sudo rm -f /usr/local/bin/cmake && sudo ln -s /usr/local/lib/cmake/cmake-*/bin/cmake /usr/local/bin/cmake",
+	"customizations": {
+		"vscode": {
+			"extensions": [
+				"4ops.terraform"
+			]
+		}
+	}
 
 	// Features to add to the dev container. More info: https://containers.dev/features.
 	// "features": {},
diff --git a/.github/workflows/terraform-deploy.yaml b/.github/workflows/terraform-deploy.yaml
new file mode 100644
index 0000000..647e0d2
--- /dev/null
+++ b/.github/workflows/terraform-deploy.yaml
@@ -0,0 +1,109 @@
+name: Terraform CI/CD
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - terraform/**
+  pull_request:
+    branches:
+      - main
+    paths:
+      - terraform/**
+
+permissions:
+  id-token: write
+  contents: read
+  pull-requests: write
+
+env:
+  AWS_REGION: us-east-1
+  TERRAGRUNT_WORKING_DIR: terraform
+  tg_version: 0.93.13
+
+jobs:
+  validate:
+    if: github.event_name == 'pull_request'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Configure AWS credentials with OIDC
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_OIDC_ROLE_ARN }}
+          aws-region: ${{ env.AWS_REGION }}
+
+      - name: Terragrunt Format Check
+        uses: gruntwork-io/terragrunt-action@v3
+        with:
+          tg_version: ${{ env.tg_version }}
+          tf_path: terraform
+          tg_dir: terraform
+          tg_command: hcl fmt --check --diff
+
+      - name: Terragrunt Validate
+        uses: gruntwork-io/terragrunt-action@v3
+        with:
+          tg_version: ${{ env.tg_version }}
+          tf_path: terraform
+          tg_dir: terraform
+          tg_command: run-all validate
+
+      - name: Terragrunt Plan
+        uses: gruntwork-io/terragrunt-action@v3
+        with:
+          tg_version: ${{ env.tg_version }}
+          tf_path: terraform
+          tg_dir: terraform
+          tg_command: run-all plan
+          tg_comment: 1
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+        env:
+          TF_VAR_compartment_ocid: ${{ secrets.TF_VAR_COMPARTMENT_OCID }}
+          TF_VAR_santiago_compartment_ocid: ${{ secrets.TF_VAR_SANTIAGO_COMPARTMENT_OCID }}
+          TF_VAR_docker_username: ${{ secrets.TF_VAR_DOCKER_USERNAME }}
+          TF_VAR_docker_password: ${{ secrets.TF_VAR_DOCKER_PASSWORD }}
+          TF_VAR_fastdl_bucket_name: ${{ secrets.TF_VAR_FASTDL_BUCKET_NAME }}
+          TF_VAR_route53_hosted_zone_id: ${{ secrets.TF_VAR_ROUTE53_HOSTED_ZONE_ID }}
+          TF_VAR_fastdl_acm_certificate_arn: ${{ secrets.TF_VAR_FASTDL_ACM_CERTIFICATE_ARN }}
+          TF_VAR_backend_api_endpoint: ${{ secrets.TF_VAR_BACKEND_API_ENDPOINT }}
+          TF_VAR_api_gateway_domain_name: ${{ secrets.TF_VAR_API_GATEWAY_DOMAIN_NAME }}
+          TF_VAR_api_gateway_acm_certificate_arn: ${{ secrets.TF_VAR_API_GATEWAY_ACM_CERTIFICATE_ARN }}
+          TF_VAR_backup_bucket_name: ${{ secrets.TF_VAR_BACKUP_BUCKET_NAME }}
+          TF_VAR_backup_retention_days: ${{ secrets.TF_VAR_BACKUP_RETENTION_DAYS }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  deploy:
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Configure AWS credentials with OIDC
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_OIDC_ROLE_ARN }}
+          aws-region: ${{ env.AWS_REGION }}
+
+      - name: Terragrunt Apply
+        uses: gruntwork-io/terragrunt-action@v3
+        with:
+          tg_version: ${{ env.tg_version }}
+          tf_path: terraform
+          tg_dir: terraform
+          tg_command: run-all apply
+        env:
+          TF_VAR_compartment_ocid: ${{ secrets.TF_VAR_COMPARTMENT_OCID }}
+          TF_VAR_santiago_compartment_ocid: ${{ secrets.TF_VAR_SANTIAGO_COMPARTMENT_OCID }}
+          TF_VAR_docker_username: ${{ secrets.TF_VAR_DOCKER_USERNAME }}
+          TF_VAR_docker_password: ${{ secrets.TF_VAR_DOCKER_PASSWORD }}
+          TF_VAR_fastdl_bucket_name: ${{ secrets.TF_VAR_FASTDL_BUCKET_NAME }}
+          TF_VAR_route53_hosted_zone_id: ${{ secrets.TF_VAR_ROUTE53_HOSTED_ZONE_ID }}
+          TF_VAR_fastdl_acm_certificate_arn: ${{ secrets.TF_VAR_FASTDL_ACM_CERTIFICATE_ARN }}
+          TF_VAR_backend_api_endpoint: ${{ secrets.TF_VAR_BACKEND_API_ENDPOINT }}
+          TF_VAR_api_gateway_domain_name: ${{ secrets.TF_VAR_API_GATEWAY_DOMAIN_NAME }}
+          TF_VAR_api_gateway_acm_certificate_arn: ${{ secrets.TF_VAR_API_GATEWAY_ACM_CERTIFICATE_ARN }}
+          TF_VAR_backup_bucket_name: ${{ secrets.TF_VAR_BACKUP_BUCKET_NAME }}
+          TF_VAR_backup_retention_days: ${{ secrets.TF_VAR_BACKUP_RETENTION_DAYS }}
diff --git a/terraform/backend.tf b/terraform/backend.tf
new file mode 100644
index 0000000..756ffab
--- /dev/null
+++ b/terraform/backend.tf
@@ -0,0 +1,10 @@
+# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa
+terraform {
+  backend "s3" {
+    bucket         = "tf2-quickserver-terraform-state"
+    dynamodb_table = "tf2-quickserver-terraform-locks"
+    encrypt        = true
+    key            = "./terraform.tfstate"
+    region         = "us-east-1"
+  }
+}
diff --git a/terraform/outputs.tf b/terraform/outputs.tf
index 7922560..9d2c08a 100644
--- a/terraform/outputs.tf
+++ b/terraform/outputs.tf
@@ -3,7 +3,8 @@
 # ===========================================
 
 output "compartment_id" {
-  value = var.compartment_ocid
+  value     = var.compartment_ocid
+  sensitive = true
 }
 
 # São Paulo Region
@@ -79,7 +80,8 @@ output "santiago_nsg_id" {
   value = module.oci-network-sa-santiago-1.nsg_id
 }
 output "santiago_compartment_id" {
-  value = var.santiago_compartment_ocid
+  value     = var.santiago_compartment_ocid
+  sensitive = true
 }
 output "santiago_vnc_id" {
   value = module.oci-network-sa-santiago-1.vnc_id
@@ -91,7 +93,8 @@ output "santiago_secret_id" {
 
 # Frankfurt Region
 output "frankfurt_compartment_id" {
-  value = var.santiago_compartment_ocid
+  value     = var.santiago_compartment_ocid
+  sensitive = true
 }
 output "frankfurt_subnet_id" {
   value = module.oci-network-eu-frankfurt-1.subnet_id
@@ -112,7 +115,8 @@ output "frankfurt_secret_id" {
 
 # Sydney Region
 output "sydney_compartment_id" {
-  value = var.santiago_compartment_ocid
+  value     = var.santiago_compartment_ocid
+  sensitive = true
 }
 output "sydney_subnet_id" {
   value = module.oci-network-ap-sydney-1.subnet_id
@@ -299,6 +303,7 @@ output "api_gateway_endpoint" {
 output "api_gateway_custom_domain" {
   description = "Custom domain name for the API Gateway"
   value       = aws_apigatewayv2_domain_name.api_domain.domain_name
+  sensitive = true
 }
 
 output "api_gateway_id" {
diff --git a/terraform/terragrunt.hcl b/terraform/terragrunt.hcl
new file mode 100644
index 0000000..c9831af
--- /dev/null
+++ b/terraform/terragrunt.hcl
@@ -0,0 +1,41 @@
+generate "backend" {
+  path      = "backend.tf"
+  if_exists = "overwrite_terragrunt"
+
+  contents = <<EOF
+terraform {
+  required_version = ">= 1.7.0"
+
+  backend "s3" {
+    encrypt = true
+  }
+}
+EOF
+}
+
+locals {
+  aws_region = "us-east-1"
+  project    = "tf2-quickserver"
+  env        = "production"
+}
+
+inputs = {
+  aws_region = local.aws_region
+}
+
+remote_state {
+  backend = "s3"
+
+  config = {
+    encrypt        = true
+    bucket         = "${local.project}-terraform-state"
+    key            = "${path_relative_to_include()}/terraform.tfstate"
+    region         = local.aws_region
+    dynamodb_table = "${local.project}-terraform-locks"
+  }
+
+  generate = {
+    path      = "backend.tf"
+    if_exists = "overwrite_terragrunt"
+  }
+}
diff --git a/terraform/variables.tf b/terraform/variables.tf
index 1fd222d..d7db178 100644
--- a/terraform/variables.tf
+++ b/terraform/variables.tf
@@ -5,11 +5,13 @@
 variable "compartment_ocid" {
   description = "The OCID of the compartment"
   type        = string
+  sensitive   = true
 }
 
 variable "santiago_compartment_ocid" {
   description = "The OCID of the Santiago compartment"
   type        = string
+  sensitive   = true
 }
 
 variable "docker_username" {
@@ -31,6 +33,7 @@ variable "docker_password" {
 variable "fastdl_bucket_name" {
   description = "Name of the S3 bucket for FastDL"
   type        = string
+  sensitive   = true
 }
 
 variable "fastdl_domain_name" {
@@ -42,16 +45,19 @@ variable "fastdl_domain_name" {
 variable "route53_hosted_zone_id" {
   description = "Route53 hosted zone ID for sonikro.com domain"
   type        = string
+  sensitive   = true
 }
 
 variable "fastdl_acm_certificate_arn" {
   description = "ARN of the ACM certificate for FastDL HTTPS (must be in us-east-1)"
   type        = string
+  sensitive   = true
 }
 
 variable "backup_bucket_name" {
   description = "Name of the S3 bucket for backups"
   type        = string
+  sensitive   = true
 }
 
 variable "backup_retention_days" {
@@ -73,9 +79,11 @@ variable "backend_api_endpoint" {
 variable "api_gateway_domain_name" {
   description = "Custom domain name for the API Gateway"
   type        = string
+  sensitive   = true
 }
 
 variable "api_gateway_acm_certificate_arn" {
   description = "ARN of the ACM certificate for API Gateway HTTPS (must be in us-east-1)"
   type        = string
+  sensitive   = true
 }