diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl
new file mode 100644
index 0000000..3a218be
--- /dev/null
+++ b/.terraform.lock.hcl
@@ -0,0 +1,82 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/aws" {
+  version     = "5.3.0"
+  constraints = "~> 5.3.0"
+  hashes = [
+    "h1:89Ara9HnoQzGsFK1nU0fPD8h0SsHJnlVc8mUfOQSAYE=",
+    "zh:001814dcf6b2329de5e2c9223c4f1e95a0f60d6670046015419053b03b3c0712",
+    "zh:3c511a91f53076c3a1117526bee0880b339261f1eb3feecd7854771bfef7890d",
+    "zh:3e6c19e048f06051c9296c7a3236946f37431ce0d84f843585c5f3e8504759d3",
+    "zh:476a3d918782a479166f33418192b522698e39702e8a0aec823682d3ee3082f1",
+    "zh:5dd0d3bff7a7acabeed600dfbbef797e189c4877f65e4b4ed572cb33e454f602",
+    "zh:6627f95a41e30c01b7f7c9e3db1cccba056c5257c36cccfaa0898d526211add2",
+    "zh:663023a4244cf7f7df2b08ab204922f7902eefe9a7b51a2c2def1a7dafe6f55f",
+    "zh:79cb8a22a131b7d2beb331d8443207eed10fdb4b09655048960bd5d59c8bbf3a",
+    "zh:8c2275a0954042cfc44843a6045543744e08bd8cad487f0bc9162cf92a9bcdcc",
+    "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
+    "zh:ad08ae20b9402461af863772a9e4ff5677e14f3fc86d5b148bd4faaaa361f601",
+    "zh:b8b7bd15fc1842aeedc2e5eab03b8357cdb2b9fe3e67dd82ae240be3081bf637",
+    "zh:bdb3858c4c632aad8d5c4bff063f3afb18de51cec3167b3496d5bc5856915301",
+    "zh:f354a433ec8095b06c2701725411ffb73a20ef9b1aa325434e1bb575b5c86d52",
+    "zh:f47e1342883d599f4675dcfdeb9707cdfcfaf53c677f93fd5c410580d4dece13",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/random" {
+  version = "3.5.1"
+  hashes = [
+    "h1:VSnd9ZIPyfKHOObuQCaKfnjIHRtR7qTw19Rz8tJxm+k=",
+    "zh:04e3fbd610cb52c1017d282531364b9c53ef72b6bc533acb2a90671957324a64",
+    "zh:119197103301ebaf7efb91df8f0b6e0dd31e6ff943d231af35ee1831c599188d",
+    "zh:4d2b219d09abf3b1bb4df93d399ed156cadd61f44ad3baf5cf2954df2fba0831",
+    "zh:6130bdde527587bbe2dcaa7150363e96dbc5250ea20154176d82bc69df5d4ce3",
+    "zh:6cc326cd4000f724d3086ee05587e7710f032f94fc9af35e96a386a1c6f2214f",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:b6d88e1d28cf2dfa24e9fdcc3efc77adcdc1c3c3b5c7ce503a423efbdd6de57b",
+    "zh:ba74c592622ecbcef9dc2a4d81ed321c4e44cddf7da799faa324da9bf52a22b2",
+    "zh:c7c5cde98fe4ef1143bd1b3ec5dc04baf0d4cc3ca2c5c7d40d17c0e9b2076865",
+    "zh:dac4bad52c940cd0dfc27893507c1e92393846b024c5a9db159a93c534a3da03",
+    "zh:de8febe2a2acd9ac454b844a4106ed295ae9520ef54dc8ed2faf29f12716b602",
+    "zh:eab0d0495e7e711cca367f7d4df6e322e6c562fc52151ec931176115b83ed014",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/tfe" {
+  version = "0.48.0"
+  hashes = [
+    "h1:KOFl1bsYNzgFocTBbinbEsq5ID2MMCq/Sz/GqpeKxmg=",
+    "zh:197dac661bad7f7f385febcc163232256b1539ad42591ac840b957bb05ba89c0",
+    "zh:22988599feab5eea5cabb610d089b96263af95ea1db20d440338532acec4487f",
+    "zh:2e931769542a3519a7734a1cfcc5f8eaf24cef1a4aeb40b7cab887c20a116d55",
+    "zh:3d4de9176257c7b479bba8bf64f6cbcfb79714a24fb93013137d220448763b0d",
+    "zh:5ea2ab756edb6e06646e2313878b4de367bd37147d687db62862eaa2ffc610f1",
+    "zh:731f5df46fa38b0ef65da6f98516190726053d716072ba9b2a4089062977c7da",
+    "zh:7f36d886695fc24bf51e4bb3fbf085d650b3645093ee0d9a884ab35bbb246ccb",
+    "zh:952b3c9572c686ad1eb6f522fe2851ee15f3dd2deacb0c837a0de3b541412dff",
+    "zh:9d7396a6f94330453c9c080e9778f064619e075e9c50e8acb05a00813f573c0a",
+    "zh:ceebbbbde39cf4c5ebc5bfe42a6164c3489caf428c95961d45e850cc65076e08",
+    "zh:d95ec293fa70e946b6cd657912b33155f8be3413e6128ed2bfa5a493f788e439",
+    "zh:f82161f851c82729d1b9a4407904dd1127f5655710c3fa8278070f7db961479a",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/tls" {
+  version = "4.0.4"
+  hashes = [
+    "h1:pe9vq86dZZKCm+8k1RhzARwENslF3SXb9ErHbQfgjXU=",
+    "zh:23671ed83e1fcf79745534841e10291bbf34046b27d6e68a5d0aab77206f4a55",
+    "zh:45292421211ffd9e8e3eb3655677700e3c5047f71d8f7650d2ce30242335f848",
+    "zh:59fedb519f4433c0fdb1d58b27c210b27415fddd0cd73c5312530b4309c088be",
+    "zh:5a8eec2409a9ff7cd0758a9d818c74bcba92a240e6c5e54b99df68fff312bbd5",
+    "zh:5e6a4b39f3171f53292ab88058a59e64825f2b842760a4869e64dc1dc093d1fe",
+    "zh:810547d0bf9311d21c81cc306126d3547e7bd3f194fc295836acf164b9f8424e",
+    "zh:824a5f3617624243bed0259d7dd37d76017097dc3193dac669be342b90b2ab48",
+    "zh:9361ccc7048be5dcbc2fafe2d8216939765b3160bd52734f7a9fd917a39ecbd8",
+    "zh:aa02ea625aaf672e649296bce7580f62d724268189fe9ad7c1b36bb0fa12fa60",
+    "zh:c71b4cd40d6ec7815dfeefd57d88bc592c0c42f5e5858dcc88245d371b4b8b1e",
+    "zh:dabcd52f36b43d250a3d71ad7abfa07b5622c69068d989e60b79b2bb4f220316",
+    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+  ]
+}
diff --git a/README.md b/README.md
index 82a3983..2d71655 100644
--- a/README.md
+++ b/README.md
@@ -1,70 +1,119 @@
-# terraform-module-template
-
-A template repository to provide a basic setup for Terraform modules.
-
-## Module structure
-
-The module structure is based on the [Terraform module documentation](https://www.terraform.io/docs/modules/index.html#standard-module-structure). The following tree shows the structure of the module.
-
-```txt
-├── .gitignore
-├── LICENSE
-├── README.md
-├── docs
-│ └── README.md
-├── examples
-│ ├── complete
-│ │ ├── main.tf
-│ │ ├── outputs.tf
-│ │ ├── variables.tf
-│ │ └── versions.tf
-│ ├── minimal
-│ │ ├── main.tf
-│ │ ├── outputs.tf
-│ │ ├── variables.tf
-│ │ └── versions.tf
-├── main.tf
-├── outputs.tf
-├── variables.tf
-└── versions.tf
+# Terraform AWS dynamic provider credentials
+
+This module creates a dynamic credentials setup between AWS and Terraform Cloud (project). It creates an IAM policy, IAM role, and IAM role policy attachment. It also creates a Terraform Cloud variable set with the AWS configurations. For more information on dynamic provider credentials, see [Dynamic Provider Credentials](https://developer.hashicorp.com/terraform/cloud-docs/workspaces/dynamic-provider-credentials).
+
+## Usage
+
+```terraform
+// one-time credentials to setup the dynamic credentials
+// this is the only time you need to provide credentials
+// after this, the dynamic credentials will be used.
+// If the setup was successful, `access_key` and `secret_key` should be removed.
+provider "aws" {
+  region     = var.aws_region
+  access_key = var.access_key
+  secret_key = var.secret_key
+}
+
+module "aws_dynamic_provider_credentials" {
+  source  = "tagesspiegel/dynamic-provider-credentials/aws"
+  version = "1.0.0"
+
+  tfc_organization = "my-org"
+  tfc_project      = "my-project"
+
+  tfc_workspaces = [{
+    name_override = "my-project-auth"
+    workspace     = "*"
+    run_phase     = "*"
+    policies = [
+      {
+        Effect = "Allow"
+        Action = [
+          "ec2:*"
+        ]
+        Resource = "*"
+      },
+      {
+        Effect = "Allow"
+        Action = [
+          "ram:*"
+        ]
+        Resource = "*"
+      },
+      {
+        Effect = "Allow"
+        Action = [
+          "cloudwatch:*"
+        ]
+        Resource = "*"
+      },
+      {
+        Effect = "Allow"
+        Action = [
+          "logs:*"
+        ]
+        Resource = "*"
+      },
+      {
+        Effect = "Allow"
+        Action = [
+          "kms:*"
+        ]
+        Resource = "*"
+      }
+    ]
+  }]
+}
 ```
 
-## Working with this template
-
-In order to use this template, you can use the GitHub template feature. This will create a new repository based on this template. After that, you can clone the repository and start working on it.
-
-### Creating a new repository based on this template
-
-To get started with this template, you have to navigate https://github.com/new and select the Tagesspiegel organization. After that, you can select the `terraform-module-template` repository, enter a name for your new repository and click on `Create repository`. Please note that you have to define a name for your new repository that is not already taken and follows the naming conventions (`terraform-<provider>-<name>`).
-
-![Create GitHub repository based on template](docs/github_create_repository.png)
-
-If everything worked as expected, you should now have a new repository based on this template. You can now clone the repository and start working on it.
-
 <!-- BEGIN_TF_DOCS -->
 ## Requirements
 
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | ~> 1.5.6 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.3.0 |
 
 ## Providers
 
-No providers.
+| Name | Version |
+|------|---------|
+| <a name="provider_tfe"></a> [tfe](#provider\_tfe) | 0.48.0 |
 
 ## Modules
 
-No modules.
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_aws_identity_provider"></a> [aws\_identity\_provider](#module\_aws\_identity\_provider) | ./modules/iam_identity_provider | n/a |
+| <a name="module_aws_tfc_dynamic_credentials_iam_roles"></a> [aws\_tfc\_dynamic\_credentials\_iam\_roles](#module\_aws\_tfc\_dynamic\_credentials\_iam\_roles) | ./modules/iam_roles | n/a |
 
 ## Resources
 
-No resources.
+| Name | Type |
+|------|------|
+| [tfe_project_variable_set.tfc_project](https://registry.terraform.io/providers/hashicorp/tfe/latest/docs/resources/project_variable_set) | resource |
+| [tfe_variable.tfe_aws_provider_auth](https://registry.terraform.io/providers/hashicorp/tfe/latest/docs/resources/variable) | resource |
+| [tfe_variable.tfe_aws_provider_auth_arn](https://registry.terraform.io/providers/hashicorp/tfe/latest/docs/resources/variable) | resource |
+| [tfe_variable_set.tfc_aws_dynamic_credentials](https://registry.terraform.io/providers/hashicorp/tfe/latest/docs/resources/variable_set) | resource |
+| [tfe_project.tfc_project](https://registry.terraform.io/providers/hashicorp/tfe/latest/docs/data-sources/project) | data source |
 
 ## Inputs
 
-No inputs.
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_tfc_aws_audience"></a> [tfc\_aws\_audience](#input\_tfc\_aws\_audience) | AWS audience | `string` | `"aws.workload.identity"` | no |
+| <a name="input_tfc_hostname"></a> [tfc\_hostname](#input\_tfc\_hostname) | The hostname of the TFC or TFE instance you'd like to use with AWS | `string` | `"app.terraform.io"` | no |
+| <a name="input_tfc_organization"></a> [tfc\_organization](#input\_tfc\_organization) | Name of the organization | `string` | n/a | yes |
+| <a name="input_tfc_project"></a> [tfc\_project](#input\_tfc\_project) | Name of the terraform cloud/enterprise project | `string` | n/a | yes |
+| <a name="input_tfc_workspaces"></a> [tfc\_workspaces](#input\_tfc\_workspaces) | List of workspaces to create IAM roles for | <pre>list(object({<br>    name_override = string<br>    workspace     = string<br>    run_phase     = string<br>    policies = list(object({<br>      Effect   = string<br>      Action   = list(string)<br>      Resource = string<br>    }))<br>  }))</pre> | n/a | yes |
 
 ## Outputs
 
-No outputs.
-<!-- END_TF_DOCS -->
\ No newline at end of file
+| Name | Description |
+|------|-------------|
+| <a name="output_aws_tfc_audience"></a> [aws\_tfc\_audience](#output\_aws\_tfc\_audience) | n/a |
+| <a name="output_full_names"></a> [full\_names](#output\_full\_names) | A list of all 'full\_name' values |
+| <a name="output_oidc_claims"></a> [oidc\_claims](#output\_oidc\_claims) | A map of 'full\_name' as key and 'openid\_claims' as value |
+| <a name="output_role_arns"></a> [role\_arns](#output\_role\_arns) | A map of 'full\_name' as key and 'role\_arn' as value |
+<!-- END_TF_DOCS -->
diff --git a/main.tf b/main.tf
index e69de29..d727ff3 100644
--- a/main.tf
+++ b/main.tf
@@ -0,0 +1,66 @@
+// import the aws oidc identity provider module
+// this module allows us to authenticate from terraform cloud to aws using oidc
+module "aws_identity_provider" {
+  source           = "./modules/iam_identity_provider"
+  tfc_organization = var.tfc_organization
+  tfc_aws_audience = var.tfc_aws_audience
+  tfc_hostname     = var.tfc_hostname
+}
+
+// aws iam roles that are created to grant permissions to terraform cloud
+module "aws_tfc_dynamic_credentials_iam_roles" {
+  source = "./modules/iam_roles"
+
+  depends_on = [
+    module.aws_identity_provider
+  ]
+
+  for_each = { for workspace in var.tfc_workspaces : "${workspace.name_override}" => workspace }
+
+  tfc_organization_name = var.tfc_organization
+  tfc_project_name      = var.tfc_project
+
+  tfc_oidc_provider_arn            = module.aws_identity_provider.aws_oidc_tfc_provider_arn
+  tfc_oidc_provider_client_id_list = module.aws_identity_provider.aws_oidc_tfc_provider_client_id_list
+
+  aws_iam_role_name_override = each.value.name_override
+  tfc_workspace_name         = each.value.workspace
+  tfc_run_phase              = each.value.run_phase
+  aws_iam_custom_policies    = each.value.policies
+}
+
+// create a variable set
+resource "tfe_variable_set" "tfc_aws_dynamic_credentials" {
+  name         = "aws-dynamic-credentials-${var.tfc_project}"
+  description  = "AWS dynamic credentials"
+  organization = var.tfc_organization
+}
+
+// get the project id
+data "tfe_project" "tfc_project" {
+  name         = var.tfc_project
+  organization = var.tfc_organization
+}
+
+// assign the variable set to the project
+resource "tfe_project_variable_set" "tfc_project" {
+  variable_set_id = tfe_variable_set.tfc_aws_dynamic_credentials.id
+  project_id      = data.tfe_project.tfc_project.id
+}
+
+// create the variables
+resource "tfe_variable" "tfe_aws_provider_auth" {
+  key             = "TFC_AWS_PROVIDER_AUTH"
+  value           = "true"
+  category        = "env"
+  description     = "AWS provider auth"
+  variable_set_id = tfe_variable_set.tfc_aws_dynamic_credentials.id
+}
+
+resource "tfe_variable" "tfe_aws_provider_auth_arn" {
+  key             = "TFC_AWS_RUN_ROLE_ARN"
+  value           = module.aws_tfc_dynamic_credentials_iam_roles["${var.tfc_project}-auth"].role_arn
+  category        = "env"
+  description     = "AWS provider auth"
+  variable_set_id = tfe_variable_set.tfc_aws_dynamic_credentials.id
+}
diff --git a/modules/iam_identity_provider/.terraform.lock.hcl b/modules/iam_identity_provider/.terraform.lock.hcl
new file mode 100644
index 0000000..c2c9b05
--- /dev/null
+++ b/modules/iam_identity_provider/.terraform.lock.hcl
@@ -0,0 +1,63 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/aws" {
+  version     = "5.3.0"
+  constraints = "~> 5.3.0"
+  hashes = [
+    "h1:89Ara9HnoQzGsFK1nU0fPD8h0SsHJnlVc8mUfOQSAYE=",
+    "zh:001814dcf6b2329de5e2c9223c4f1e95a0f60d6670046015419053b03b3c0712",
+    "zh:3c511a91f53076c3a1117526bee0880b339261f1eb3feecd7854771bfef7890d",
+    "zh:3e6c19e048f06051c9296c7a3236946f37431ce0d84f843585c5f3e8504759d3",
+    "zh:476a3d918782a479166f33418192b522698e39702e8a0aec823682d3ee3082f1",
+    "zh:5dd0d3bff7a7acabeed600dfbbef797e189c4877f65e4b4ed572cb33e454f602",
+    "zh:6627f95a41e30c01b7f7c9e3db1cccba056c5257c36cccfaa0898d526211add2",
+    "zh:663023a4244cf7f7df2b08ab204922f7902eefe9a7b51a2c2def1a7dafe6f55f",
+    "zh:79cb8a22a131b7d2beb331d8443207eed10fdb4b09655048960bd5d59c8bbf3a",
+    "zh:8c2275a0954042cfc44843a6045543744e08bd8cad487f0bc9162cf92a9bcdcc",
+    "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
+    "zh:ad08ae20b9402461af863772a9e4ff5677e14f3fc86d5b148bd4faaaa361f601",
+    "zh:b8b7bd15fc1842aeedc2e5eab03b8357cdb2b9fe3e67dd82ae240be3081bf637",
+    "zh:bdb3858c4c632aad8d5c4bff063f3afb18de51cec3167b3496d5bc5856915301",
+    "zh:f354a433ec8095b06c2701725411ffb73a20ef9b1aa325434e1bb575b5c86d52",
+    "zh:f47e1342883d599f4675dcfdeb9707cdfcfaf53c677f93fd5c410580d4dece13",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/random" {
+  version = "3.5.1"
+  hashes = [
+    "h1:VSnd9ZIPyfKHOObuQCaKfnjIHRtR7qTw19Rz8tJxm+k=",
+    "zh:04e3fbd610cb52c1017d282531364b9c53ef72b6bc533acb2a90671957324a64",
+    "zh:119197103301ebaf7efb91df8f0b6e0dd31e6ff943d231af35ee1831c599188d",
+    "zh:4d2b219d09abf3b1bb4df93d399ed156cadd61f44ad3baf5cf2954df2fba0831",
+    "zh:6130bdde527587bbe2dcaa7150363e96dbc5250ea20154176d82bc69df5d4ce3",
+    "zh:6cc326cd4000f724d3086ee05587e7710f032f94fc9af35e96a386a1c6f2214f",
+    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
+    "zh:b6d88e1d28cf2dfa24e9fdcc3efc77adcdc1c3c3b5c7ce503a423efbdd6de57b",
+    "zh:ba74c592622ecbcef9dc2a4d81ed321c4e44cddf7da799faa324da9bf52a22b2",
+    "zh:c7c5cde98fe4ef1143bd1b3ec5dc04baf0d4cc3ca2c5c7d40d17c0e9b2076865",
+    "zh:dac4bad52c940cd0dfc27893507c1e92393846b024c5a9db159a93c534a3da03",
+    "zh:de8febe2a2acd9ac454b844a4106ed295ae9520ef54dc8ed2faf29f12716b602",
+    "zh:eab0d0495e7e711cca367f7d4df6e322e6c562fc52151ec931176115b83ed014",
+  ]
+}
+
+provider "registry.terraform.io/hashicorp/tls" {
+  version = "4.0.4"
+  hashes = [
+    "h1:pe9vq86dZZKCm+8k1RhzARwENslF3SXb9ErHbQfgjXU=",
+    "zh:23671ed83e1fcf79745534841e10291bbf34046b27d6e68a5d0aab77206f4a55",
+    "zh:45292421211ffd9e8e3eb3655677700e3c5047f71d8f7650d2ce30242335f848",
+    "zh:59fedb519f4433c0fdb1d58b27c210b27415fddd0cd73c5312530b4309c088be",
+    "zh:5a8eec2409a9ff7cd0758a9d818c74bcba92a240e6c5e54b99df68fff312bbd5",
+    "zh:5e6a4b39f3171f53292ab88058a59e64825f2b842760a4869e64dc1dc093d1fe",
+    "zh:810547d0bf9311d21c81cc306126d3547e7bd3f194fc295836acf164b9f8424e",
+    "zh:824a5f3617624243bed0259d7dd37d76017097dc3193dac669be342b90b2ab48",
+    "zh:9361ccc7048be5dcbc2fafe2d8216939765b3160bd52734f7a9fd917a39ecbd8",
+    "zh:aa02ea625aaf672e649296bce7580f62d724268189fe9ad7c1b36bb0fa12fa60",
+    "zh:c71b4cd40d6ec7815dfeefd57d88bc592c0c42f5e5858dcc88245d371b4b8b1e",
+    "zh:dabcd52f36b43d250a3d71ad7abfa07b5622c69068d989e60b79b2bb4f220316",
+    "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c",
+  ]
+}
diff --git a/modules/iam_identity_provider/main.tf b/modules/iam_identity_provider/main.tf
new file mode 100644
index 0000000..7b834cf
--- /dev/null
+++ b/modules/iam_identity_provider/main.tf
@@ -0,0 +1,23 @@
+// get tls certificate from tfc
+data "tls_certificate" "tfc_certificate" {
+  url = "https://${var.tfc_hostname}"
+}
+
+// generate two random strings to use as audience
+resource "random_string" "sfx1" {
+  length  = 5
+  special = false
+  upper   = false
+}
+resource "random_string" "sfx2" {
+  length  = 3
+  special = false
+  upper   = false
+}
+
+// create AWS IAM OIDC Identity Provider
+resource "aws_iam_openid_connect_provider" "this" {
+  url             = data.tls_certificate.tfc_certificate.url
+  client_id_list  = [var.tfc_aws_audience]
+  thumbprint_list = [data.tls_certificate.tfc_certificate.certificates[0].sha1_fingerprint]
+}
diff --git a/modules/iam_identity_provider/outputs.tf b/modules/iam_identity_provider/outputs.tf
new file mode 100644
index 0000000..3312b94
--- /dev/null
+++ b/modules/iam_identity_provider/outputs.tf
@@ -0,0 +1,15 @@
+output "aws_oidc_tfc_provider_arn" {
+  value       = aws_iam_openid_connect_provider.this.arn
+  description = "The ARN of the AWS IAM OIDC Identity Provider created for TFC"
+}
+
+output "aws_oidc_tfc_provider_client_id_list" {
+  value       = aws_iam_openid_connect_provider.this.client_id_list
+  description = "The list of client IDs for the AWS IAM OIDC Identity Provider created for TFC"
+}
+
+output "aws_tfc_audience" {
+  value       = var.tfc_aws_audience
+  description = "The audience for the AWS IAM OIDC Identity Provider created for TFC"
+  sensitive   = true
+}
diff --git a/modules/iam_identity_provider/variables.tf b/modules/iam_identity_provider/variables.tf
new file mode 100644
index 0000000..fe6da40
--- /dev/null
+++ b/modules/iam_identity_provider/variables.tf
@@ -0,0 +1,16 @@
+variable "tfc_hostname" {
+  type        = string
+  default     = "app.terraform.io"
+  description = "The hostname of the TFC or TFE instance you'd like to use with AWS"
+}
+
+variable "tfc_organization" {
+  type        = string
+  description = "The name of the TFC or TFE organization you'd like to use with AWS"
+}
+
+variable "tfc_aws_audience" {
+  type        = string
+  default     = "aws.workload.identity"
+  description = "The audience value to use in run identity tokens"
+}
diff --git a/modules/iam_identity_provider/versions.tf b/modules/iam_identity_provider/versions.tf
new file mode 100644
index 0000000..4265c58
--- /dev/null
+++ b/modules/iam_identity_provider/versions.tf
@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.3.0"
+    }
+  }
+}
diff --git a/modules/iam_roles/.terraform.lock.hcl b/modules/iam_roles/.terraform.lock.hcl
new file mode 100644
index 0000000..150dd5f
--- /dev/null
+++ b/modules/iam_roles/.terraform.lock.hcl
@@ -0,0 +1,25 @@
+# This file is maintained automatically by "terraform init".
+# Manual edits may be lost in future updates.
+
+provider "registry.terraform.io/hashicorp/aws" {
+  version     = "5.3.0"
+  constraints = "~> 5.3.0"
+  hashes = [
+    "h1:89Ara9HnoQzGsFK1nU0fPD8h0SsHJnlVc8mUfOQSAYE=",
+    "zh:001814dcf6b2329de5e2c9223c4f1e95a0f60d6670046015419053b03b3c0712",
+    "zh:3c511a91f53076c3a1117526bee0880b339261f1eb3feecd7854771bfef7890d",
+    "zh:3e6c19e048f06051c9296c7a3236946f37431ce0d84f843585c5f3e8504759d3",
+    "zh:476a3d918782a479166f33418192b522698e39702e8a0aec823682d3ee3082f1",
+    "zh:5dd0d3bff7a7acabeed600dfbbef797e189c4877f65e4b4ed572cb33e454f602",
+    "zh:6627f95a41e30c01b7f7c9e3db1cccba056c5257c36cccfaa0898d526211add2",
+    "zh:663023a4244cf7f7df2b08ab204922f7902eefe9a7b51a2c2def1a7dafe6f55f",
+    "zh:79cb8a22a131b7d2beb331d8443207eed10fdb4b09655048960bd5d59c8bbf3a",
+    "zh:8c2275a0954042cfc44843a6045543744e08bd8cad487f0bc9162cf92a9bcdcc",
+    "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
+    "zh:ad08ae20b9402461af863772a9e4ff5677e14f3fc86d5b148bd4faaaa361f601",
+    "zh:b8b7bd15fc1842aeedc2e5eab03b8357cdb2b9fe3e67dd82ae240be3081bf637",
+    "zh:bdb3858c4c632aad8d5c4bff063f3afb18de51cec3167b3496d5bc5856915301",
+    "zh:f354a433ec8095b06c2701725411ffb73a20ef9b1aa325434e1bb575b5c86d52",
+    "zh:f47e1342883d599f4675dcfdeb9707cdfcfaf53c677f93fd5c410580d4dece13",
+  ]
+}
diff --git a/modules/iam_roles/main.tf b/modules/iam_roles/main.tf
new file mode 100644
index 0000000..f6d6563
--- /dev/null
+++ b/modules/iam_roles/main.tf
@@ -0,0 +1,45 @@
+locals {
+  name_suffix = "${var.tfc_organization_name}-${var.tfc_project_name}-${var.tfc_workspace_name}"
+  full_name   = var.aws_iam_role_name_override != "" ? var.aws_iam_role_name_override : "${local.name_suffix}"
+}
+
+resource "aws_iam_role" "this" {
+  name = "tfc-role-${local.full_name}"
+
+  assume_role_policy = <<EOF
+{
+ "Version": "2012-10-17",
+ "Statement": [
+   {
+     "Effect": "Allow",
+     "Principal": {
+       "Federated": "${var.tfc_oidc_provider_arn}"
+     },
+     "Action": "sts:AssumeRoleWithWebIdentity",
+     "Condition": {
+       "StringEquals": {
+         "${var.tfc_hostname}:aud": "${one(var.tfc_oidc_provider_client_id_list)}"
+       },
+       "StringLike": {
+         "${var.tfc_hostname}:sub": "organization:${var.tfc_organization_name}:project:${var.tfc_project_name}:workspace:${var.tfc_workspace_name}:run_phase:${var.tfc_run_phase}"
+       }
+     }
+   }
+ ]
+}
+EOF
+}
+
+resource "aws_iam_policy" "this" {
+  name        = "tfc-policy-${local.full_name}"
+  description = "Grants terraform cloud access to AWS (generated by terraform). This policy is attached to the role created by terraform. Do not modify this policy manually. If you need to modify the permissions, modify the terraform code and re-run terraform. Organization = ${var.tfc_organization_name} Project = ${var.tfc_project_name}"
+  policy      = jsonencode({
+    Version  = "2012-10-17"
+    Statement = var.aws_iam_custom_policies
+  })
+}
+
+resource "aws_iam_role_policy_attachment" "this" {
+  role       = aws_iam_role.this.name
+  policy_arn = aws_iam_policy.this.arn
+}
diff --git a/modules/iam_roles/outputs.tf b/modules/iam_roles/outputs.tf
new file mode 100644
index 0000000..5127c6c
--- /dev/null
+++ b/modules/iam_roles/outputs.tf
@@ -0,0 +1,14 @@
+output "full_name" {
+  description = "A combination of project and workspace name"
+  value       = local.full_name
+}
+
+output "openid_claims" {
+  description = "OpenID Claims for trust relationship"
+  value       = one(jsondecode(aws_iam_role.this.assume_role_policy).Statement).Condition
+}
+
+output "role_arn" {
+  description = "ARN for trust relationship role"
+  value       = aws_iam_role.this.arn
+}
diff --git a/modules/iam_roles/variables.tf b/modules/iam_roles/variables.tf
new file mode 100644
index 0000000..e6372fa
--- /dev/null
+++ b/modules/iam_roles/variables.tf
@@ -0,0 +1,61 @@
+variable "aws_iam_role_name_override" {
+  type        = string
+  default     = ""
+  description = "The name of the IAM role to create. If not set, the name will be generated automatically."
+}
+
+variable "tfc_oidc_provider_arn" {
+  type        = string
+  description = "The ARN of the OIDC provider to use for TFC"
+}
+
+variable "tfc_oidc_provider_client_id_list" {
+  type        = list(string)
+  description = "The list of client IDs to use for TFC"
+}
+
+variable "tfc_hostname" {
+  type        = string
+  default     = "app.terraform.io"
+  description = "The hostname of the TFC or TFE instance you'd like to use with AWS"
+}
+
+variable "tfc_organization_name" {
+  type        = string
+  default     = "Tagesspiegel"
+  description = "The name of the TFC or TFE organization you'd like to use with AWS"
+}
+
+variable "tfc_project_name" {
+  type        = string
+  description = "The name of the TFC or TFE project you'd like to use with AWS"
+}
+
+variable "tfc_workspace_name" {
+  type        = string
+  description = "The name of the TFC or TFE workspace you'd like to use with AWS"
+}
+
+variable "tfc_run_phase" {
+  type        = string
+  description = "The run phase to use for the trust relationship"
+  default     = "*"
+}
+
+variable "aws_iam_custom_policies" {
+  type = list(object({
+    Effect   = string
+    Action   = list(string)
+    Resource = string
+  }))
+  default = [
+    {
+      Effect = "Allow"
+      Action = [
+        "ec2:*"
+      ]
+      Resource = "*"
+    }
+  ]
+  description = "A list of custom policies to attach to the IAM role. By default the provider will be allowed to perform all actions on all ec2 resources."
+}
diff --git a/modules/iam_roles/versions.tf b/modules/iam_roles/versions.tf
new file mode 100644
index 0000000..4265c58
--- /dev/null
+++ b/modules/iam_roles/versions.tf
@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.3.0"
+    }
+  }
+}
diff --git a/outputs.tf b/outputs.tf
index e69de29..20e2c2a 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -0,0 +1,19 @@
+output "full_names" {
+  value       = [for instance in module.aws_tfc_dynamic_credentials_iam_roles : instance.full_name]
+  description = "A list of all 'full_name' values"
+}
+
+output "oidc_claims" {
+  value       = { for instance in module.aws_tfc_dynamic_credentials_iam_roles : instance.full_name => instance.openid_claims }
+  description = "A map of 'full_name' as key and 'openid_claims' as value"
+}
+
+output "role_arns" {
+  value       = { for instance in module.aws_tfc_dynamic_credentials_iam_roles : instance.full_name => instance.role_arn }
+  description = "A map of 'full_name' as key and 'role_arn' as value"
+}
+
+output "aws_tfc_audience" {
+  value     = module.aws_identity_provider.aws_tfc_audience
+  sensitive = true
+}
diff --git a/variables.tf b/variables.tf
index e69de29..88468e2 100644
--- a/variables.tf
+++ b/variables.tf
@@ -0,0 +1,43 @@
+//
+// identity provider variables
+//
+
+variable "tfc_organization" {
+  type        = string
+  description = "Name of the organization"
+}
+
+variable "tfc_aws_audience" {
+  type        = string
+  description = "AWS audience"
+  default     = "aws.workload.identity"
+}
+
+variable "tfc_hostname" {
+  type        = string
+  default     = "app.terraform.io"
+  description = "The hostname of the TFC or TFE instance you'd like to use with AWS"
+}
+
+//
+// dynamic credentials roles
+//
+
+variable "tfc_workspaces" {
+  type = list(object({
+    name_override = string
+    workspace     = string
+    run_phase     = string
+    policies = list(object({
+      Effect   = string
+      Action   = list(string)
+      Resource = string
+    }))
+  }))
+  description = "List of workspaces to create IAM roles for"
+}
+
+variable "tfc_project" {
+  type        = string
+  description = "Name of the terraform cloud/enterprise project"
+}
diff --git a/versions.tf b/versions.tf
index 607f2e3..9c2bc80 100644
--- a/versions.tf
+++ b/versions.tf
@@ -1,5 +1,9 @@
 terraform {
   required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.3.0"
+    }
   }
 
   required_version = "~> 1.5.6"