diff --git a/main.tf b/main.tf
new file mode 100644
index 0000000..f902da4
--- /dev/null
+++ b/main.tf
@@ -0,0 +1,57 @@
+# Thanks to https://blog.gruntwork.io/how-to-manage-terraform-state-28f5697e68fa
+
+resource "aws_s3_bucket" "terraform_state" {
+  bucket = "omnicognate-terraform-state"
+ 
+  # Prevent accidental deletion of this S3 bucket
+  lifecycle {
+    prevent_destroy = true
+  }
+  tags = merge(
+    { Name = "${var.resource_name_prefix}-aws_s3_bucket" },
+    var.common_tags,
+  )
+}
+
+resource "aws_s3_bucket_versioning" "enabled" {
+  bucket = aws_s3_bucket.terraform_state.id
+  versioning_configuration {
+    status = "Enabled"
+  }
+  
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
+  bucket = aws_s3_bucket.terraform_state.id
+
+  rule {
+    apply_server_side_encryption_by_default {
+      sse_algorithm = "AES256"
+    }
+  }
+  
+}
+
+resource "aws_s3_bucket_public_access_block" "public_access" {
+  bucket                  = aws_s3_bucket.terraform_state.id
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+  
+}
+
+resource "aws_dynamodb_table" "terraform_locks" {
+  name         = "omnicognate-terraform-locks"
+  billing_mode = "PAY_PER_REQUEST"
+  hash_key     = "LockID"
+
+  attribute {
+    name = "LockID"
+    type = "S"
+  }
+  tags = merge(
+    { Name = "${var.resource_name_prefix}-aws_dynamodb_table" },
+    var.common_tags,
+  )
+}
\ No newline at end of file
diff --git a/outputs.tf b/outputs.tf
new file mode 100644
index 0000000..4133a7d
--- /dev/null
+++ b/outputs.tf
@@ -0,0 +1,9 @@
+output "s3_bucket_arn" {
+  value       = aws_s3_bucket.terraform_state.arn
+  description = "The ARN of the S3 bucket"
+}
+
+output "dynamodb_table_name" {
+  value       = aws_dynamodb_table.terraform_locks.name
+  description = "The name of the DynamoDB table"
+}
\ No newline at end of file
diff --git a/providers.tf b/providers.tf
new file mode 100644
index 0000000..2f1c658
--- /dev/null
+++ b/providers.tf
@@ -0,0 +1,24 @@
+terraform {
+    backend "s3" {
+        bucket         = "omnicognate-terraform-state"
+        key            = "global/s3/terraform.tfstate"
+        region         = "eu-north-1"
+        dynamodb_table = "omnicognate-terraform-locks"
+        encrypt        = true
+    }
+    required_version = ">= 1.0.0"
+    required_providers {
+        aws = {
+            source  = "hashicorp/aws"
+            version = ">= 4.0.0"
+        }
+    }
+}
+provider "aws" {
+    region = var.aws_region
+    # using aws-vault to assume a role
+    assume_role {
+        duration = "1h" 
+        role_arn = var.role_arn 
+  }
+}
diff --git a/terraform.tfvars.example b/terraform.tfvars.example
new file mode 100644
index 0000000..e7ca01c
--- /dev/null
+++ b/terraform.tfvars.example
@@ -0,0 +1,5 @@
+# === user vars ===
+role_arn = ""
+
+# === required core vars ===
+aws_region = "eu-north-1"
diff --git a/variables.tf b/variables.tf
new file mode 100644
index 0000000..8e60f27
--- /dev/null
+++ b/variables.tf
@@ -0,0 +1,26 @@
+# === General ===
+
+variable "resource_name_prefix" {
+  type        = string
+  description = "Resource name prefix used for tagging and naming AWS resources"
+  default = "tf-state"
+}
+
+variable "aws_region" {
+  type        = string
+  description = "AWS region where Vault will be deployed"
+  default = "eu-north-1"
+}
+
+variable "role_arn" {
+  type        = string
+  description = "The assumed role to use for this project."
+}
+
+variable "common_tags" {
+  type        = map(string)
+  description = "(Optional) Map of common tags for all taggable AWS resources."
+  default     = {
+    "project" = "tf-state-on-s3"
+  }
+}
\ No newline at end of file