diff --git a/web_api/terraform/state_storage/README.md b/web_api/terraform/state_storage/README.md
new file mode 100644
index 00000000..9e4ce8d0
--- /dev/null
+++ b/web_api/terraform/state_storage/README.md
@@ -0,0 +1,16 @@
+Created bucket and table manually:
+
+```
+aws s3api create-bucket --bucket osm-terraform-storage --region us-east-1
+aws s3api list-buckets
+aws s3api list-buckets --region us-east-1
+aws s3api put-bucket-versioning --bucket osm-terraform-storage --versioning-configuration Status=Enabled
+aws s3 cp state-storage.tf s3://osm-terraform-storage/test.tf
+aws s3 rm s3://osm-terraform-storage --recursive
+# Failed: aws dynamodb create-table     --table-name terraform-locks     --attribute-definitions AttributeName=LockID,AttributeType=S     --key-schema AttributeName=LockID,KeyType=HASH     --billing-mode PAY_PER_REQUEST     --region us-east-1
+# Created dynamodb-policy.json
+aws iam create-policy --policy-name DynamoDBFullAccess --policy-document file://dynamodb-policy.json
+aws iam attach-user-policy --policy-arn arn:aws:iam::507624629289:policy/DynamoDBFullAccess --user-name osm
+aws iam list-attached-user-policies --user-name osm
+aws dynamodb create-table     --table-name terraform-locks     --attribute-definitions AttributeName=LockID,AttributeType=S     --key-schema AttributeName=LockID,KeyType=HASH     --billing-mode PAY_PER_REQUEST     --region us-east-1
+```
diff --git a/web_api/terraform/state_storage/dynamodb-policy.json b/web_api/terraform/state_storage/dynamodb-policy.json
new file mode 100644
index 00000000..714b91c4
--- /dev/null
+++ b/web_api/terraform/state_storage/dynamodb-policy.json
@@ -0,0 +1,29 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "dynamodb:CreateTable",
+                "dynamodb:DeleteTable",
+                "dynamodb:DescribeTable",
+                "dynamodb:ListTables",
+                "dynamodb:UpdateTable",
+                "dynamodb:PutItem",
+                "dynamodb:GetItem",
+                "dynamodb:DeleteItem",
+                "dynamodb:Query",
+                "dynamodb:Scan"
+            ],
+            "Resource": "arn:aws:dynamodb:us-east-1:507624629289:table/terraform-locks"
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "dynamodb:ListTables",
+                "dynamodb:ListTagsOfResource"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
diff --git a/web_api/terraform/state_storage/state-storage.tf b/web_api/terraform/state_storage/state-storage.tf
new file mode 100644
index 00000000..0d5877f7
--- /dev/null
+++ b/web_api/terraform/state_storage/state-storage.tf
@@ -0,0 +1,46 @@
+provider "aws" {
+  region = "us-east-1"
+}
+
+resource "aws_s3_bucket" "tf_state" {
+  bucket = "osm-storage"
+  versioning {
+    enabled = true
+  }
+  server_side_encryption_configuration {
+    rule {
+      apply_server_side_encryption_by_default {
+        sse_algorithm = "AES256"
+      }
+    }
+  }
+  lifecycle_rule {
+    id      = "tf_state"
+    enabled = true
+    transition {
+      days          = 30
+      storage_class = "STANDARD_IA"
+    }
+    expiration {
+      days = 365
+    }
+  }
+  tags = {
+    Name = "terraform-state-storage"
+  }
+}
+
+resource "aws_dynamodb_table" "tf_locks" {
+  name         = "terraform-locks"
+  billing_mode = "PAY_PER_REQUEST"
+  hash_key     = "LockID"
+
+  attribute {
+    name = "LockID"
+    type = "S"
+  }
+
+  tags = {
+    Name = "terraform-state-locks"
+  }
+}