diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 9c6743678e..86ec129de3 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -225,6 +225,15 @@ jobs:
       - uses: cashapp/activate-hermit@v1.1.3
       - uses: ./.github/actions/build-cache
       - run: just build-docker controller
+  docker-build-provisioner:
+    name: Build Provisioner Docker Image
+    # if: github.event_name != 'pull_request' || github.event.action == 'enqueued' || contains( github.event.pull_request.labels.*.name, 'run-all')
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: cashapp/activate-hermit@v1.1.3
+      - uses: ./.github/actions/build-cache
+      - run: just build-docker provisioner
   docker-build-runner:
     name: Build Runner Docker Image
     # if: github.event_name != 'pull_request' || github.event.action == 'enqueued' || contains( github.event.pull_request.labels.*.name, 'run-all')
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index db7ce245ec..20bc3e1607 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -42,6 +42,25 @@ jobs:
           name: docker-controller-artifact
           path: artifacts/ftl-controller
           retention-days: 1
+  build-provisioner:
+    name: Build Provisioner Docker Image
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Init Hermit
+        uses: cashapp/activate-hermit@v1.1.3
+      - name: Build
+        run: |
+          just build-docker provisioner
+          mkdir -p artifacts/ftl-provisioner
+          docker save -o artifacts/ftl-provisioner/ftl-provisioner.tar ftl0/ftl-provisioner:latest
+      - name: Temporarily save Docker image
+        uses: actions/upload-artifact@v4
+        with:
+          name: docker-provisioner-artifact
+          path: artifacts/ftl-provisioner
+          retention-days: 1
   build-box:
     name: Build FTL-in-a-box Docker Image
     runs-on: ubuntu-latest
@@ -85,6 +104,11 @@ jobs:
         with:
           name: docker-controller-artifact
           path: artifacts/ftl-controller
+      - name: Retrieve Provisioner Docker image
+        uses: actions/download-artifact@v4
+        with:
+          name: docker-provisioner-artifact
+          path: artifacts/ftl-provisioner
       - name: Retrieve FTL-in-a-box Docker image
         uses: actions/download-artifact@v4
         with:
@@ -94,6 +118,8 @@ jobs:
         run: docker load -i artifacts/ftl-runner/ftl-runner.tar
       - name: Load Controller Docker image
         run: docker load -i artifacts/ftl-controller/ftl-controller.tar
+      - name: Load Provisioner Docker image
+        run: docker load -i artifacts/ftl-provisioner/ftl-provisioner.tar
       - name: Load FTL-in-a-box Docker image
         run: docker load -i artifacts/ftl-box/ftl-box.tar
       - name: Log in to the Container registry
@@ -110,6 +136,9 @@ jobs:
           docker tag ftl0/ftl-controller:latest ftl0/ftl-controller:"$GITHUB_SHA"
           docker tag ftl0/ftl-controller:latest ftl0/ftl-controller:"$version"
           docker push -a ftl0/ftl-controller
+          docker tag ftl0/ftl-provisioner:latest ftl0/ftl-provisioner:"$GITHUB_SHA"
+          docker tag ftl0/ftl-provisioner:latest ftl0/ftl-provisioner:"$version"
+          docker push -a ftl0/ftl-provisioner
           docker tag ftl0/ftl-box:latest ftl0/ftl-box:"$GITHUB_SHA"
           docker tag ftl0/ftl-box:latest ftl0/ftl-box:"$version"
           docker push -a ftl0/ftl-box
diff --git a/Dockerfile.provisioner b/Dockerfile.provisioner
new file mode 100644
index 0000000000..e6f03b7dd1
--- /dev/null
+++ b/Dockerfile.provisioner
@@ -0,0 +1,50 @@
+FROM ubuntu:24.04 AS builder
+RUN apt-get update
+RUN apt-get install -y curl git zip
+
+# Copy Hermit bin stubs and install all packages. This is done
+# separately so that Docker will cache the tools correctly.
+COPY ./bin /src/bin
+ENV PATH="/src/bin:$PATH"
+WORKDIR /src
+
+# Seed some of the most common tools - this will be cached
+RUN go version
+RUN node --version
+
+# Download Go dependencies separately so Docker will cache them
+COPY go.mod go.sum ./
+RUN go mod download -x
+
+# Download PNPM dependencies separately so Docker will cache them
+COPY frontend/console/package.json ./frontend/console/
+COPY frontend/vscode/package.json ./frontend/vscode/
+COPY pnpm-workspace.yaml pnpm-lock.yaml ./
+RUN pnpm install --frozen-lockfile
+
+# Build
+COPY . /src/
+RUN just errtrace
+# Reset timestamps so that the build state is reset
+RUN git ls-files -z | xargs -0 touch -r go.mod
+RUN just build ftl-provisioner ftl-provisioner-cloudformation
+
+# Finally create the runtime image.
+FROM scratch
+
+COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
+
+WORKDIR /plugins/
+COPY ftl-provisioner-config.toml .
+COPY --from=builder /src/build/release/ftl-provisioner-cloudformation .
+
+WORKDIR /service/
+COPY --from=builder /src/build/release/ftl-provisioner .
+
+EXPOSE 8893
+
+ENV PATH="$PATH:/plugins/"
+ENV FTL_PROVISIONER_BIND="http://0.0.0.0:8893"
+ENV FTL_PROVISIONER_PLUGIN_CONFIG_FILE="/plugins/config.toml"
+
+CMD ["/service/ftl-provisioner"]
diff --git a/ftl-provisioner-config.toml b/ftl-provisioner-config.toml
new file mode 100644
index 0000000000..59a076fa74
--- /dev/null
+++ b/ftl-provisioner-config.toml
@@ -0,0 +1,4 @@
+plugins = [
+    { id = "cloudformation", resources = ["postgres"] },
+    { id = "controller", resources = ["module"] },
+]
\ No newline at end of file