diff --git a/.github/workflows/terraform-ci.yml b/.github/workflows/terraform-ci.yml
new file mode 100644
index 00000000..73a91d65
--- /dev/null
+++ b/.github/workflows/terraform-ci.yml
@@ -0,0 +1,82 @@
+name: "Terraform CI"
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - "DevOps-Project-11/**"
+  pull_request:
+    branches: [main]
+    paths:
+      - "DevOps-Project-11/**"
+
+env:
+  TF_VERSION: "1.7.0"
+  WORKING_DIR: "DevOps-Project-11"
+
+jobs:
+  format:
+    name: Terraform Format Check
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: ${{ env.TF_VERSION }}
+
+      - name: Terraform Format Check
+        working-directory: ${{ env.WORKING_DIR }}
+        run: terraform fmt -check -recursive -diff
+
+  validate:
+    name: Terraform Validate
+    runs-on: ubuntu-latest
+    needs: format
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: ${{ env.TF_VERSION }}
+
+      - name: Terraform Init
+        working-directory: ${{ env.WORKING_DIR }}
+        run: terraform init -backend=false
+
+      - name: Terraform Validate
+        working-directory: ${{ env.WORKING_DIR }}
+        run: terraform validate
+
+  plan:
+    name: Terraform Plan
+    runs-on: ubuntu-latest
+    needs: validate
+    if: github.event_name == 'pull_request'
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Setup Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: ${{ env.TF_VERSION }}
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          aws-region: us-east-1
+
+      - name: Terraform Init
+        working-directory: ${{ env.WORKING_DIR }}
+        run: terraform init
+
+      - name: Terraform Plan
+        working-directory: ${{ env.WORKING_DIR }}
+        run: terraform plan -var-file=variables.tfvars -no-color -input=false
diff --git a/DevOps-Project-11/modules/alb-tg/outputs.tf b/DevOps-Project-11/modules/alb-tg/outputs.tf
new file mode 100644
index 00000000..1c8a6f32
--- /dev/null
+++ b/DevOps-Project-11/modules/alb-tg/outputs.tf
@@ -0,0 +1,14 @@
+output "alb_dns_name" {
+  description = "The DNS name of the Application Load Balancer"
+  value       = aws_lb.alb.dns_name
+}
+
+output "alb_arn" {
+  description = "The ARN of the Application Load Balancer"
+  value       = aws_lb.alb.arn
+}
+
+output "target_group_arn" {
+  description = "The ARN of the ALB target group"
+  value       = aws_lb_target_group.tg.arn
+}
diff --git a/DevOps-Project-11/modules/aws-rds/outputs.tf b/DevOps-Project-11/modules/aws-rds/outputs.tf
new file mode 100644
index 00000000..121d20c1
--- /dev/null
+++ b/DevOps-Project-11/modules/aws-rds/outputs.tf
@@ -0,0 +1,14 @@
+output "rds_cluster_endpoint" {
+  description = "The writer endpoint of the Aurora RDS cluster"
+  value       = aws_rds_cluster.rds-cluster.endpoint
+}
+
+output "rds_reader_endpoint" {
+  description = "The reader endpoint of the Aurora RDS cluster"
+  value       = aws_rds_cluster.rds-cluster.reader_endpoint
+}
+
+output "rds_cluster_port" {
+  description = "The port of the Aurora RDS cluster"
+  value       = aws_rds_cluster.rds-cluster.port
+}
diff --git a/DevOps-Project-11/modules/aws-waf-cdn-acm-route53/outputs.tf b/DevOps-Project-11/modules/aws-waf-cdn-acm-route53/outputs.tf
new file mode 100644
index 00000000..9ae6ef71
--- /dev/null
+++ b/DevOps-Project-11/modules/aws-waf-cdn-acm-route53/outputs.tf
@@ -0,0 +1,14 @@
+output "cloudfront_domain_name" {
+  description = "The domain name of the CloudFront distribution"
+  value       = aws_cloudfront_distribution.cf.domain_name
+}
+
+output "cloudfront_distribution_id" {
+  description = "The ID of the CloudFront distribution"
+  value       = aws_cloudfront_distribution.cf.id
+}
+
+output "acm_certificate_arn" {
+  description = "The ARN of the ACM certificate"
+  value       = aws_acm_certificate.acm.arn
+}
diff --git a/DevOps-Project-11/outputs.tf b/DevOps-Project-11/outputs.tf
new file mode 100644
index 00000000..1bc0ae28
--- /dev/null
+++ b/DevOps-Project-11/outputs.tf
@@ -0,0 +1,29 @@
+# -----------------------------------------------------------------------------
+# Root Outputs — Two-Tier AWS Architecture
+# These values are printed to the console after a successful `terraform apply`.
+# -----------------------------------------------------------------------------
+
+output "alb_dns_name" {
+  description = "DNS name of the Application Load Balancer (HTTP entry point)"
+  value       = module.alb.alb_dns_name
+}
+
+output "cloudfront_domain_name" {
+  description = "Domain name of the CloudFront distribution (HTTPS entry point)"
+  value       = module.route53.cloudfront_domain_name
+}
+
+output "rds_endpoint" {
+  description = "Writer endpoint of the Aurora MySQL cluster"
+  value       = module.rds.rds_cluster_endpoint
+}
+
+output "rds_reader_endpoint" {
+  description = "Reader endpoint of the Aurora MySQL cluster (read replicas)"
+  value       = module.rds.rds_reader_endpoint
+}
+
+output "cloudfront_distribution_id" {
+  description = "CloudFront distribution ID (useful for cache invalidation)"
+  value       = module.route53.cloudfront_distribution_id
+}