diff --git a/tf/ami.tf b/tf/ami.tf
new file mode 100644
index 0000000..4fe4b48
--- /dev/null
+++ b/tf/ami.tf
@@ -0,0 +1,33 @@
+data "aws_ami" "server" {
+  count = local.ami_available ? 1 : 0
+
+  owners = ["self"]
+
+  filter {
+    name   = "name"
+    values = [data.external.env.result.AMI_NAME]
+  }
+}
+
+data "aws_ami" "ubuntu" {
+  count = local.ssh_key_available ? 1 : 0
+
+  owners = ["099720109477"]
+
+  filter {
+    name = "name"
+    values = ["ubuntu/images/hvm-ssd/ubuntu-*-21.04-amd64-server-*"]
+  }
+
+  filter {
+    name = "root-device-type"
+    values = ["ebs"]
+  }
+
+  filter {
+    name = "virtualization-type"
+    values = ["hvm"]
+  }
+
+  most_recent = true
+}
diff --git a/tf/asg.tf b/tf/asg.tf
index ca48c4a..c245a7b 100644
--- a/tf/asg.tf
+++ b/tf/asg.tf
@@ -1,14 +1,3 @@
-data "aws_ami" "server" {
-  count = local.ami_available ? 1 : 0
-
-  owners = ["self"]
-
-  filter {
-    name   = "name"
-    values = [data.external.env.result.AMI_NAME]
-  }
-}
-
 resource "aws_security_group" "server" {
   name        = "riju-server"
   description = "Security group for Riju server"
diff --git a/tf/backup.tf b/tf/backup.tf
new file mode 100644
index 0000000..384f212
--- /dev/null
+++ b/tf/backup.tf
@@ -0,0 +1,31 @@
+resource "aws_backup_vault" "riju" {
+  name = "riju"
+}
+
+resource "aws_backup_plan" "riju" {
+  name = "riju"
+
+  rule {
+    rule_name = "riju"
+    target_vault_name = aws_backup_vault.riju.name
+    schedule = "cron(0 5 ? * * *)"
+
+    lifecycle {
+      delete_after = 7
+    }
+
+    recovery_point_tags {
+      BillingCategory = "Riju"
+    }
+  }
+}
+
+resource "aws_backup_selection" "riju" {
+  iam_role_arn = aws_iam_role.backup.arn
+  name = "riju"
+  plan_id = aws_backup_plan.riju.id
+
+  resources = [
+    aws_instance.dev_server[0].arn,
+  ]
+}
diff --git a/tf/ec2.tf b/tf/ec2.tf
new file mode 100644
index 0000000..dd51cda
--- /dev/null
+++ b/tf/ec2.tf
@@ -0,0 +1,58 @@
+resource "aws_security_group" "dev_server" {
+  count = local.ssh_key_available ? 1 : 0
+
+  name        = "riju-dev-server"
+  description = "Security group for Riju dev server"
+
+  ingress {
+    description = "SSH"
+    from_port   = 22
+    to_port     = 22
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  ingress {
+    description = "HTTP"
+    from_port   = 6119
+    to_port     = 6119
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}
+
+resource "aws_instance" "dev_server" {
+  count = local.ssh_key_available ? 1 : 0
+
+  ami = data.aws_ami.ubuntu[0].id
+  instance_type = "t3.2xlarge"
+  ebs_optimized = true
+
+  security_groups = [aws_security_group.dev_server[0].name]
+
+  root_block_device {
+    volume_size = 256
+
+    tags = merge(local.tags, {
+      Name = "Riju dev server"
+    })
+  }
+
+  tags = {
+    Name = "Riju dev server"
+  }
+
+  lifecycle {
+    ignore_changes = [
+      ami,
+      security_groups,  # legacy
+    ]
+  }
+}
diff --git a/tf/iam.tf b/tf/iam.tf
index 21d4a2a..a4c5302 100644
--- a/tf/iam.tf
+++ b/tf/iam.tf
@@ -7,6 +7,18 @@ resource "aws_iam_access_key" "deploy" {
 }
 
 data "aws_iam_policy_document" "deploy" {
+  statement {
+    actions = [
+      "ecr:GetAuthorizationToken",
+      "ecr-public:GetAuthorizationToken",
+      "sts:GetServiceBearerToken",
+    ]
+
+    resources = [
+      "*",
+    ]
+  }
+
   statement {
     actions = [
       "s3:ListBucket",
@@ -28,6 +40,21 @@ data "aws_iam_policy_document" "deploy" {
   }
 }
 
+data "aws_iam_policy_document" "deploy_assume_role" {
+  statement {
+    actions = [
+      "sts:AssumeRole",
+    ]
+
+    principals {
+      type = "AWS"
+      identifiers = [
+        "${data.aws_caller_identity.current.account_id}",
+      ]
+    }
+  }
+}
+
 resource "aws_iam_policy" "deploy" {
   name        = "riju-deploy"
   description = "Policy granting CI access to deploy Riju"
@@ -39,6 +66,17 @@ resource "aws_iam_user_policy_attachment" "deploy" {
   policy_arn = aws_iam_policy.deploy.arn
 }
 
+resource "aws_iam_role" "deploy" {
+  name = "riju-deploy"
+  description = "Role used by CI and deployment"
+  assume_role_policy = data.aws_iam_policy_document.deploy_assume_role.json
+}
+
+resource "aws_iam_role_policy_attachment" "deploy" {
+  role = aws_iam_role.deploy.name
+  policy_arn = aws_iam_policy.deploy.arn
+}
+
 data "aws_iam_policy_document" "server" {
   statement {
     actions = [
@@ -108,3 +146,91 @@ resource "aws_iam_instance_profile" "server" {
   name = "riju-server"
   role = aws_iam_role.server.name
 }
+
+data "aws_iam_policy_document" "dev_server" {
+  statement {
+    actions = [
+      "*",
+    ]
+
+    resources = [
+      "*",
+    ]
+  }
+}
+
+resource "aws_iam_policy" "dev_server" {
+  name = "riju-dev-server"
+  description = "Policy granting AWS administrative access from dev server"
+  policy = data.aws_iam_policy_document.dev_server.json
+}
+
+data "aws_iam_policy_document" "dev_server_assume_role" {
+  statement {
+    actions = [
+      "sts:AssumeRole",
+    ]
+
+    principals {
+      type = "Service"
+      identifiers = [
+        "ec2.amazonaws.com",
+      ]
+    }
+  }
+}
+
+resource "aws_iam_role" "dev_server" {
+  name = "riju-dev-server"
+  description = "Role used by Riju dev server"
+  assume_role_policy = data.aws_iam_policy_document.dev_server_assume_role.json
+}
+
+resource "aws_iam_role_policy_attachment" "dev_server" {
+  role = aws_iam_role.dev_server.name
+  policy_arn = aws_iam_policy.dev_server.arn
+}
+
+resource "aws_iam_instance_profile" "dev_server" {
+  name = "riju-dev-server"
+  role = aws_iam_role.dev_server.name
+}
+
+data "aws_iam_policy_document" "backup_assume_role" {
+  statement {
+    actions = [
+      "sts:AssumeRole",
+    ]
+
+    principals {
+      type = "Service"
+      identifiers = [
+        "backup.amazonaws.com",
+      ]
+    }
+  }
+}
+
+resource "aws_iam_role" "backup" {
+  name = "riju-backup"
+  description = "Role used by AWS Backup for Riju"
+  assume_role_policy = data.aws_iam_policy_document.backup_assume_role.json
+}
+
+data "aws_iam_policy" "backup" {
+  name = "AWSBackupServiceRolePolicyForBackup"
+}
+
+data "aws_iam_policy" "backup_restores" {
+  name = "AWSBackupServiceRolePolicyForRestores"
+}
+
+resource "aws_iam_role_policy_attachment" "backup" {
+  role = aws_iam_role.backup.name
+  policy_arn = data.aws_iam_policy.backup.arn
+}
+
+resource "aws_iam_role_policy_attachment" "backup_restores" {
+  role = aws_iam_role.backup.name
+  policy_arn = data.aws_iam_policy.backup_restores.arn
+}
diff --git a/tf/main.tf b/tf/main.tf
index 8be2123..afa2bd9 100644
--- a/tf/main.tf
+++ b/tf/main.tf
@@ -26,6 +26,7 @@ locals {
   }
 
   ami_available = lookup(data.external.env.result, "AMI_NAME", "") != "" ? true : false
+  ssh_key_available = lookup(data.external.env.result, "SSH_KEY_NAME", "") != "" ? true : false
 }
 
 provider "aws" {