diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..6f9d4af
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,7 @@
+.terraform
+**/*.tfplan
+**/*.tfstate*
+.venv
+.terraform.lock.hcl
+.acr-pat
+azure.env
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..50a99df
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,13 @@
+FROM python:3.13-slim
+
+WORKDIR /app
+
+COPY requirements.txt .
+
+RUN pip install --root-user-action=ignore --no-cache-dir -r requirements.txt
+
+COPY image-chooser.py .
+COPY ./entrypoint.sh /
+
+ENTRYPOINT [ "/entrypoint.sh" ]
+CMD [ "run", "image-chooser.py" ]
diff --git a/build.sh b/build.sh
new file mode 100755
index 0000000..0c26351
--- /dev/null
+++ b/build.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+IMAGE_NAME="azure-image-chooser"
+#IMAGE="docker.io/skoszewski/$IMAGE_NAME"
+IMAGE="skdomlab.azurecr.io/$IMAGE_NAME"
+
+podman build -t $IMAGE .
+podman push $IMAGE
diff --git a/entrypoint.sh b/entrypoint.sh
new file mode 100755
index 0000000..4feca98
--- /dev/null
+++ b/entrypoint.sh
@@ -0,0 +1,8 @@
+#!/bin/sh
+
+if [ "$1" = "-s" ] || [ "$1" = "--shell" ]; then
+  shift
+  exec bash $@
+fi
+
+exec streamlit $@
diff --git a/image-chooser.py b/image-chooser.py
index 3c71604..49959d0 100644
--- a/image-chooser.py
+++ b/image-chooser.py
@@ -32,7 +32,7 @@ def get_skus(location: str, publisher: str, offer: str):
 def get_image_versions(location: str, publisher: str, offer: str, sku: str):
     return [version.name for version in compute_client.virtual_machine_images.list(location, publisher, offer, sku)]
 
-subscription_id = "046a1c08-9940-48c0-893c-77eccd7e875d"
+subscription_id = "c885a276-c882-483f-b216-42f73715161d"
 location = "westeurope"
 
 credential = DefaultAzureCredential()
diff --git a/main.auto.tfvars b/main.auto.tfvars
new file mode 100644
index 0000000..87b4ac0
--- /dev/null
+++ b/main.auto.tfvars
@@ -0,0 +1,2 @@
+subscription_id = "c885a276-c882-483f-b216-42f73715161d"
+project_name    = "azure-image-chooser"
diff --git a/main.tf b/main.tf
new file mode 100644
index 0000000..381d201
--- /dev/null
+++ b/main.tf
@@ -0,0 +1,91 @@
+terraform {
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = ">= 4.0.0"
+    }
+  }
+
+  backend "local" {
+    path = "azure-image-chooser.tfstate"
+  }
+}
+
+provider "azurerm" {
+  features {}
+
+  subscription_id = var.subscription_id
+}
+
+variable "subscription_id" {
+  description = "The Azure Subscription ID to use for the resources."
+  type        = string
+}
+
+variable "project_name" {
+  description = "The name used to construct Azure resource names."
+  type        = string
+}
+
+resource "azurerm_resource_group" "rg" {
+  name     = "rg-${var.project_name}"
+  location = "Poland Central"
+}
+
+resource "azurerm_log_analytics_workspace" "logaws" {
+  name                = "${var.project_name}-logs"
+  location            = azurerm_resource_group.rg.location
+  resource_group_name = azurerm_resource_group.rg.name
+  sku                 = "PerGB2018"
+  retention_in_days   = 30
+}
+
+resource "azurerm_container_app_environment" "env" {
+  name                       = "${var.project_name}-env"
+  resource_group_name        = azurerm_resource_group.rg.name
+  location                   = azurerm_resource_group.rg.location
+  log_analytics_workspace_id = azurerm_log_analytics_workspace.logaws.id
+
+  workload_profile {
+    name                  = "Consumption"
+    workload_profile_type = "Consumption"
+    maximum_count         = 1
+  }
+}
+
+resource "azurerm_container_app" "app" {
+  name                         = "${var.project_name}-app"
+  container_app_environment_id = azurerm_container_app_environment.env.id
+  resource_group_name          = azurerm_resource_group.rg.name
+  revision_mode                = "Single"
+
+  template {
+    container {
+      name   = "${var.project_name}-container"
+      image  = "skdomlab.azurecr.io/azure-image-chooser:latest"
+      cpu    = "0.25"
+      memory = "0.5Gi"
+    }
+  }
+  identity {
+    type         = "UserAssigned"
+    identity_ids = [azurerm_user_assigned_identity.uai.id]
+  }
+}
+
+resource "azurerm_user_assigned_identity" "uai" {
+  name                = "${var.project_name}-uai"
+  resource_group_name = azurerm_resource_group.rg.name
+  location            = azurerm_resource_group.rg.location
+}
+
+resource "azurerm_role_assignment" "acr_pull" {
+  scope                = data.azurerm_container_registry.acr.id
+  role_definition_name = "AcrPull"
+  principal_id         = azurerm_user_assigned_identity.uai.principal_id
+}
+
+data "azurerm_container_registry" "acr" {
+  name                = "skdomlab"
+  resource_group_name = "dom-lab-common"
+}
diff --git a/requirements.txt b/requirements.txt
new file mode 100644
index 0000000..347d71d
--- /dev/null
+++ b/requirements.txt
@@ -0,0 +1,3 @@
+streamlit
+azure-identity
+azure-mgmt-compute
diff --git a/run-container.sh b/run-container.sh
new file mode 100755
index 0000000..eadf53f
--- /dev/null
+++ b/run-container.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+if [ -z "$AZURE_CLIENT_ID" ] || [ -z "$AZURE_TENANT_ID" ] || [ -z "$AZURE_CLIENT_SECRET" ] || [ -z "$AZURE_SUBSCRIPTION_ID" ]; then
+    echo "One or more environment variables are not set."
+    exit 1
+fi
+
+podman run --rm \
+    -it \
+    -e AZURE_CLIENT_ID="$AZURE_CLIENT_ID" \
+    -e AZURE_TENANT_ID="$AZURE_TENANT_ID" \
+    -e AZURE_CLIENT_SECRET="$AZURE_CLIENT_SECRET" \
+    -e AZURE_SUBSCRIPTION_ID="$AZURE_SUBSCRIPTION_ID" \
+    -p 8501:8501 \
+    azure-image-chooser