diff --git a/zosia_site/app_engine.tf b/zosia_site/app_engine.tf
deleted file mode 100644
index 5498844..0000000
--- a/zosia_site/app_engine.tf
+++ /dev/null
@@ -1,27 +0,0 @@
-resource "google_app_engine_application" "zosia_site" {
-  project     = local.project_id
-  location_id = local.region
-}
-
-data "google_app_engine_default_service_account" "default" {
-
-  # Read the default service account after its created to avoid errors
-  depends_on = [google_app_engine_application.zosia_site]
-}
-
-# TODO: Uncomment this (and possibly fix, it's not tested) in production to use the zosia.org domain
-# resource "google_app_engine_domain_mapping" "zosia_org_domain" {
-#   domain_name = "zosia.org"
-
-#   ssl_settings {
-#     ssl_management_type = "AUTOMATIC"
-#   }
-# }
-
-# resource "google_app_engine_domain_mapping" "www_zosia_org_domain" {
-#   domain_name = "www.zosia.org"
-
-#   ssl_settings {
-#     ssl_management_type = "AUTOMATIC"
-#   }
-# }
diff --git a/zosia_site/cloud_run.tf b/zosia_site/cloud_run.tf
new file mode 100644
index 0000000..93038fe
--- /dev/null
+++ b/zosia_site/cloud_run.tf
@@ -0,0 +1,128 @@
+locals {
+  docker_image_url = "${local.region}-docker.pkg.dev/${local.project_id}/${google_artifact_registry_repository.zosia-repo.repository_id}/${local.docker_image_name}:latest"
+}
+
+resource "google_artifact_registry_repository" "zosia-repo" {
+  location      = local.region
+  repository_id = "zosia-repo"
+  description   = "Repository for zosia site production images"
+  format        = "DOCKER"
+
+  cleanup_policies {
+    id     = "keep-minimum-versions"
+    action = "KEEP"
+    most_recent_versions {
+      keep_count = 5
+    }
+  }
+}
+
+resource "google_cloud_run_v2_job" "migrate" {
+  name     = "migrate"
+  location = local.region
+
+  template {
+    template {
+      service_account = google_service_account.cloudrun_service_account.email
+
+      containers {
+        image   = local.docker_image_url
+        command = ["./scripts/migrate.sh"]
+
+        env {
+          name  = "GOOGLE_CLOUD_PROJECT"
+          value = local.project_id
+        }
+      }
+    }
+  }
+}
+
+resource "google_cloud_run_v2_job" "collectstatic" {
+  name     = "collectstatic"
+  location = local.region
+
+  template {
+    template {
+      service_account = google_service_account.cloudrun_service_account.email
+
+      containers {
+        image   = local.docker_image_url
+        command = ["./scripts/collectstatic.sh"]
+
+        env {
+          name  = "GOOGLE_CLOUD_PROJECT"
+          value = local.project_id
+        }
+
+        env {
+          name  = "GCS_BUCKET_NAME"
+          value = google_storage_bucket.static_files_bucket.name
+        }
+      }
+    }
+  }
+}
+
+resource "google_cloud_run_v2_service" "zosia_site" {
+  name     = "zosia"
+  location = local.region
+
+  template {
+    service_account = google_service_account.cloudrun_service_account.email
+
+    containers {
+      image   = local.docker_image_url
+      command = ["./scripts/start_prod_server.sh"]
+
+      env {
+        name  = "GOOGLE_CLOUD_PROJECT"
+        value = local.project_id
+      }
+
+      env {
+        name  = "GCS_BUCKET_NAME"
+        value = google_storage_bucket.static_files_bucket.name
+      }
+
+      # TODO: Add domain mapping to zosia.org and www.zosia.org
+      env {
+        name  = "HOSTS"
+        value = "zosia.org, www.zosia.org"
+      }
+    }
+  }
+}
+
+# This allows zosia website to be accessed by anyone without authentication
+resource "google_cloud_run_v2_service_iam_member" "noauth" {
+  location = google_cloud_run_v2_service.zosia_site.location
+  name     = google_cloud_run_v2_service.zosia_site.name
+  role     = "roles/run.invoker"
+  member   = "allUsers"
+}
+
+resource "random_id" "static_files_bucket_prefix" {
+  byte_length = 8
+}
+
+resource "google_storage_bucket" "static_files_bucket" {
+  name          = "${random_id.static_files_bucket_prefix.hex}-static-files-bucket"
+  location      = local.region
+  force_destroy = false
+  storage_class = "STANDARD"
+
+  cors {
+    origin          = ["*"]
+    method          = ["GET"]
+    response_header = ["*"]
+  }
+}
+
+# This allows anyone on the internet to view static files
+resource "google_storage_bucket_iam_member" "static_files_bucket_public" {
+  bucket = google_storage_bucket.static_files_bucket.name
+  role   = "roles/storage.objectViewer"
+  member = "allUsers"
+}
+
diff --git a/zosia_site/iam.tf b/zosia_site/iam.tf
index 6cf92ff..f602321 100644
--- a/zosia_site/iam.tf
+++ b/zosia_site/iam.tf
@@ -1,28 +1,32 @@
-# Required for App Engine app to access Secret Manager in runtime
+resource "google_service_account" "cloudrun_service_account" {
+  account_id   = "cloudrun-service-account"
+  display_name = "Cloud Run Service Account"
+}
+
+# Required for Cloud Run to access Secret Manager in runtime
 resource "google_secret_manager_secret_iam_member" "service_account_secret_accessor" {
   secret_id = google_secret_manager_secret.django_settings.secret_id
   role      = "roles/secretmanager.secretAccessor"
-  member    = data.google_app_engine_default_service_account.default.member
-
-  # Wait for the service account to be created before assigning roles
-  depends_on = [
-    google_app_engine_application.zosia_site,
-    data.google_app_engine_default_service_account.default
-  ]
+  member    = google_service_account.cloudrun_service_account.member
 }
 
-# Required for App Engine app to access Cloud SQL in runtime
+# Required for Cloud Run to access Cloud SQL in runtime
 resource "google_project_iam_binding" "service_account_cloudsql_client" {
   project = local.project_id
   role    = "roles/cloudsql.client"
 
   members = [
-    data.google_app_engine_default_service_account.default.member,
+    google_service_account.cloudrun_service_account.member
   ]
+}
 
-  # Wait for the service account to be created before assigning roles
-  depends_on = [
-    google_app_engine_application.zosia_site,
-    data.google_app_engine_default_service_account.default
+# Required for Cloud Run to access Cloud Storage with static files in runtime
+resource "google_project_iam_binding" "cloud_storage_admin" {
+  project = local.project_id
+  role    = "roles/storage.objectAdmin"
+
+  members = [
+    google_service_account.cloudrun_service_account.member
   ]
+
 }
diff --git a/zosia_site/locals.tf b/zosia_site/locals.tf
index 553bdda..68a915e 100644
--- a/zosia_site/locals.tf
+++ b/zosia_site/locals.tf
@@ -1,6 +1,7 @@
 locals {
-  project_id = ""
-  region     = "europe-central2"
+  project_id        = ""
+  region            = "europe-central2"
+  docker_image_name = "zosia_prod"
 
   db_settings = {
     username         = "zosia-admin"
diff --git a/zosia_site/services.tf b/zosia_site/services.tf
index 651dfa8..da394fa 100644
--- a/zosia_site/services.tf
+++ b/zosia_site/services.tf
@@ -14,3 +14,13 @@ resource "google_project_service" "sql_service" {
   project = local.project_id
   service = "sql-component.googleapis.com"
 }
+
+resource "google_project_service" "artifactregistry_service" {
+  project = local.project_id
+  service = "artifactregistry.googleapis.com"
+}
+
+resource "google_project_service" "cloudrun_service" {
+  project = local.project_id
+  service = "run.googleapis.com"
+}