diff --git a/tf/environments/prod/main.tf b/tf/environments/prod/main.tf
index f7d61fb2..62d2c86c 100644
--- a/tf/environments/prod/main.tf
+++ b/tf/environments/prod/main.tf
@@ -578,3 +578,14 @@ module "codesigning" {
   subnet_cidr_blocks = module.network.vpc_subnet_cloudhsm[*].cidr_block
   key_name           = module.adm_iam_roles.oonidevops_key_name
 }
+
+## Ansible controller setup
+
+module "ansible_controller" {
+  source = "../../modules/ansible_controller"
+
+  vpc_id   = module.network.vpc_id
+  key_name = module.adm_iam_roles.oonidevops_key_name
+
+  dns_zone_ooni_io = local.dns_zone_ooni_io
+}
diff --git a/tf/modules/ansible_controller/main.tf b/tf/modules/ansible_controller/main.tf
new file mode 100644
index 00000000..74d59d98
--- /dev/null
+++ b/tf/modules/ansible_controller/main.tf
@@ -0,0 +1,74 @@
+data "aws_ssm_parameter" "ubuntu_22_ami" {
+  name = "/aws/service/canonical/ubuntu/server/22.04/stable/current/amd64/hvm/ebs-gp2/ami-id"
+}
+
+resource "aws_security_group" "ansible_ctrl_sg" {
+  description = "security group for ansible controller"
+  name_prefix = "ooni-ansible-ctrl"
+
+  vpc_id = var.vpc_id
+
+  ingress {
+    protocol    = "tcp"
+    from_port   = 22
+    to_port     = 22
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    from_port = 0
+    to_port   = 0
+    protocol  = "-1"
+
+    cidr_blocks = [
+      "0.0.0.0/0",
+    ]
+  }
+
+  egress {
+    from_port        = 0
+    to_port          = 0
+    protocol         = "-1"
+    ipv6_cidr_blocks = ["::/0"]
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  tags = var.tags
+}
+
+resource "aws_instance" "ansible_controller" {
+  ami           = data.aws_ssm_parameter.ubuntu_22_ami.value
+  instance_type = var.instance_type
+  key_name      = var.key_name
+
+  user_data = <<-EOF
+              #!/bin/bash
+              apt-get update
+              apt-get install -y software-properties-common
+              add-apt-repository --yes --update ppa:ansible/ansible
+              apt-get install -y ansible
+              EOF
+
+  lifecycle {
+    create_before_destroy = true
+  }
+
+  security_groups = [aws_security_group.ansible_ctrl_sg.id]
+
+  tags = var.tags
+}
+
+resource "aws_route53_record" "oonith_service_alias" {
+  zone_id = var.dns_zone_ooni_io
+  name    = "ansible-controller"
+  type    = "A"
+
+  alias {
+    name                   = aws_instance.ansible_controller.public_dns
+    zone_id                = var.dns_zone_ooni_io
+    evaluate_target_health = true
+  }
+}
diff --git a/tf/modules/ansible_controller/outputs.tf b/tf/modules/ansible_controller/outputs.tf
new file mode 100644
index 00000000..8b137891
--- /dev/null
+++ b/tf/modules/ansible_controller/outputs.tf
@@ -0,0 +1 @@
+
diff --git a/tf/modules/ansible_controller/variables.tf b/tf/modules/ansible_controller/variables.tf
new file mode 100644
index 00000000..fd68a035
--- /dev/null
+++ b/tf/modules/ansible_controller/variables.tf
@@ -0,0 +1,27 @@
+variable "vpc_id" {
+  description = "the id of the VPC to deploy the instance into"
+}
+
+variable "tags" {
+  description = "tags to apply to the resources"
+  default     = {}
+  type        = map(string)
+}
+
+variable "key_name" {
+  description = "Name of AWS key pair"
+}
+
+variable "name" {
+  description = "Name of the resources"
+  default     = "ooni-backendproxy"
+}
+
+variable "instance_type" {
+  default = "t2.micro"
+}
+
+variable "dns_zone_ooni_io" {
+  description = "id of the DNS zone for ooni_io"
+}
+