diff --git a/.gitignore b/.gitignore
new file mode 100644
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,2 @@
+.terraform/
+terraform.tfstate*
diff --git a/azure/terraform/README.md b/azure/terraform/README.md
new file mode 100644
--- /dev/null
+++ b/azure/terraform/README.md
@@ -0,0 +1,37 @@
+# Install terraform
+
+https://learn.hashicorp.com/terraform/getting-started/install.html#installing-terraform
+
+# Login
+
+Through azure cli (for now)
+
+```
+az login
+```
+
+# Init
+
+```
+terraform init
+```
+
+# Plan changes
+
+This will compute all *.tf files present in the folder and compute a
+differential plan:
+
+```
+terraform plan
+```
+
+Note: It might be a good idea to change the `variables.tf` file to adapt for
+example the admin user and its associated public key
+
+# Apply changes
+
+Same as previous command except that it applies the diff to the infra:
+
+```
+terraform apply
+```
diff --git a/azure/terraform/variables.tf b/azure/terraform/variables.tf
new file mode 100644
--- /dev/null
+++ b/azure/terraform/variables.tf
@@ -0,0 +1,9 @@
+variable "ssh_key_data" {
+  type = "string"
+  default = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZarzgHrzUYspvrgSI6fszrALo92BDys7QOkJgUfZa9t9m4g7dUANNtwBiqIbqijAQPmB1zKgG6QTZC5rJkRy6KqXCW/+Qeedw/FWIbuI7jOD5WxnglbEQgvPkkB8kf1xIF7icRfWcQmK2je/3sFd9yS4/+jftNMPPXkBCxYm74onMenyllA1akA8FLyujLu6MNA1D8iLLXvz6pBDTT4GZ5/bm3vSE6Go8Xbuyu4SCtYZSHaHC2lXZ6Hhi6dbli4d3OwkUWz+YhFGaEra5Fx45Iig4UCL6kXPkvL/oSc9KGerpT//Xj9qz1K7p/IrBS8+eA4X69bHYYV0UZKDADZSn ardumont@bespin"
+}
+
+variable "user_admin" {
+    type = "string"
+    default = "ardumont"
+}
diff --git a/azure/terraform/vault.tf b/azure/terraform/vault.tf
new file mode 100644
--- /dev/null
+++ b/azure/terraform/vault.tf
@@ -0,0 +1,111 @@
+# Keyword use:
+# - provider: Define the provider(s)
+# - data: Retrieve data information to be used within the file
+# - resource: Define resource and create/update
+
+# Configure the Microsoft Azure Provider
+# Empty if using the `az login` tool
+provider "azurerm" {
+  version             = "~> 1.27"
+}
+
+# Reuse the network security group as defined currently
+data "azurerm_network_security_group" "worker-nsg" {
+  name                = "worker-nsg"
+  resource_group_name = "swh-resource"
+}
+
+# Same for the subnet
+data "azurerm_subnet" "default" {
+  name                 = "default"
+  virtual_network_name = "swh-vnet"
+  resource_group_name  = "swh-resource"
+}
+
+# Define a new resource for the vault
+# matching what we name elsewhere "euwest-${resource}"
+
+resource "azurerm_resource_group" "euwest-vault" {
+  name     = "euwest-vault"
+  location = "westeurope"
+
+  tags {
+      environment = "SWH Vault"
+  }
+}
+
+resource "azurerm_network_interface" "vangogh-interface" {
+  name                = "vangogh-interface"
+  location            = "westeurope"
+  resource_group_name = "euwest-vault"
+  network_security_group_id = "${data.azurerm_network_security_group.worker-nsg.id}"
+
+  ip_configuration {
+    name                          = "vaultNicConfiguration"
+    subnet_id                     = "${data.azurerm_subnet.default.id}"
+    public_ip_address_id          = ""
+    private_ip_address_allocation = "Dynamic"
+  }
+}
+
+# Blobstorage as defined in task
+resource "azurerm_storage_account" "vault-storage" {
+  name                     = "swhvaultstorage"
+  resource_group_name      = "${azurerm_resource_group.euwest-vault.name}"
+  location                 = "westeurope"
+  account_tier             = "Standard"
+  account_replication_type = "LRS"
+  account_kind             = "BlobStorage"
+  access_tier              = "Cool"
+  tags {
+      environment = "SWH Vault"
+  }
+}
+
+# A container for the blob storage named 'contents' (as other blob storages)
+resource "azurerm_storage_container" "contents" {
+  name                  = "contents"
+  resource_group_name   = "${azurerm_resource_group.euwest-vault.name}"
+  storage_account_name  = "${azurerm_storage_account.vault-storage.name}"
+  container_access_type = "private"
+}
+
+resource "azurerm_virtual_machine" "vault-server" {
+  name                  = "vangogh"
+  location              = "westeurope"
+  resource_group_name   = "euwest-vault"
+  network_interface_ids = ["${azurerm_network_interface.vangogh-interface.id}"]
+  vm_size               = "Standard_B2ms"
+
+  storage_os_disk {
+    name              = "vangogh-osdisk"
+    caching           = "ReadWrite"
+    create_option     = "FromImage"
+    managed_disk_type = "Premium_LRS"
+  }
+
+  storage_image_reference {
+    publisher = "credativ"
+    offer     = "Debian"
+    sku       = "9"
+    version   = "latest"
+  }
+
+  # (Va)ngogh <-> (Va)ult
+  os_profile {
+    computer_name  = "vangogh"
+    admin_username = "${var.user_admin}"
+  }
+
+  os_profile_linux_config {
+    disable_password_authentication = true
+    ssh_keys {
+      path = "/home/${var.user_admin}/.ssh/authorized_keys"
+      key_data = "${var.ssh_key_data}"
+    }
+  }
+
+  tags {
+      environment = "SWH Vault"
+  }
+}