diff --git a/azure/terraform/key-vault-bb/README.md b/azure/terraform/key-vault-bb/README.md
new file mode 100644
index 0000000..8bf8ee0
--- /dev/null
+++ b/azure/terraform/key-vault-bb/README.md
@@ -0,0 +1,68 @@
+# Terraform Module: Azure Key Vault
+
+This Terraform module provisions an Azure Key Vault along with necessary role assignments.
+
+## Features
+- Creates an Azure Key Vault with soft delete and purge protection enabled.
+- Assigns the "Key Vault Administrator" role to a specified Azure AD group.
+- Outputs essential details like Key Vault ID, name, and resource group.
+
+## Requirements
+- Terraform `>= 1.0`
+- AzureRM Provider `>= 4.18.0`
+
+## Providers
+
+```hcl
+terraform {
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "4.18.0"
+    }
+  }
+}
+
+provider "azurerm" {
+  features {}
+}
+```
+
+## Inputs
+
+| Name                          | Type   | Description                                      | Required |
+|--------------------------------|--------|--------------------------------------------------|----------|
+| `key_vault_name`              | string | The name of the Key Vault.                      | Yes      |
+| `key_vault_resource_group_name` | string | The name of the resource group for the Key Vault. | Yes      |
+| `location`                    | string | The Azure region where the Key Vault is created. | Yes      |
+
+## Outputs
+
+| Name                        | Description                                    |
+|-----------------------------|------------------------------------------------|
+| `key_vault_id`             | The ID of the created Key Vault.              |
+| `key_vault_name`           | The name of the created Key Vault.            |
+| `key_vault_resource_group` | The resource group containing the Key Vault.  |
+
+## Usage Example
+
+```hcl
+module "key_vault" {
+  source                        = "./modules/key_vault"
+  key_vault_name                = "my-keyvault"
+  key_vault_resource_group_name = "my-resource-group"
+  location                      = "West Europe"
+}
+
+output "vault_id" {
+  value = module.key_vault.key_vault_id
+}
+```
+
+## Notes
+- Make sure the Azure AD group exists before assigning the role.
+- Ensure that your Terraform identity has the necessary permissions to create and manage Key Vaults.
+
+## License
+MIT
+
diff --git a/azure/terraform/key-vault-bb/main.tf b/azure/terraform/key-vault-bb/main.tf
new file mode 100644
index 0000000..619e93a
--- /dev/null
+++ b/azure/terraform/key-vault-bb/main.tf
@@ -0,0 +1,28 @@
+// useful terraform outputs
+data "azurerm_client_config" "current" {}
+
+resource "azurerm_resource_group" "key_vault" {
+  name     = var.key_vault_resource_group_name
+  location = var.terraform_state_storage.location
+}
+
+resource "azurerm_key_vault" "key_vault" {
+  name                       = var.key_vault_name
+  location                   = var.location
+  resource_group_name        = azurerm_resource_group.key_vault.name
+  tenant_id                  = data.azurerm_client_config.current.tenant_id
+  sku_name                   = "standard"
+  soft_delete_retention_days = 7
+  purge_protection_enabled   = true
+  enable_rbac_authorization  = true
+}
+
+data "azurerm_role_definition" "keyvault" {
+  name = "Key Vault Administrator"
+}
+
+resource "azurerm_role_assignment" "cloudfoundation_tfdeploy" {
+  principal_id         = azuread_group.platform_engineers.object_id
+  scope                = azurerm_key_vault.key_vault.id
+  role_definition_name = data.azurerm_role_definition.keyvault.name
+}
diff --git a/azure/terraform/key-vault-bb/outputs.tf b/azure/terraform/key-vault-bb/outputs.tf
new file mode 100644
index 0000000..c185a1a
--- /dev/null
+++ b/azure/terraform/key-vault-bb/outputs.tf
@@ -0,0 +1,11 @@
+output "key_vault_id" {
+  value = azurerm_key_vault.key_vault.id
+}
+
+output "key_vault_name" {
+  value = azurerm_key_vault.key_vault.name
+}
+
+output "key_vault_resource_group" {
+  value = azurerm_resource_group.key_vault.name
+}
diff --git a/azure/terraform/key-vault-bb/providers.tf b/azure/terraform/key-vault-bb/providers.tf
new file mode 100644
index 0000000..22568d6
--- /dev/null
+++ b/azure/terraform/key-vault-bb/providers.tf
@@ -0,0 +1,12 @@
+terraform {
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = "4.18.0"
+    }
+  }
+}
+
+provider "azurerm" {
+  features {}
+}
diff --git a/azure/terraform/key-vault-bb/variables.tf b/azure/terraform/key-vault-bb/variables.tf
new file mode 100644
index 0000000..8e97508
--- /dev/null
+++ b/azure/terraform/key-vault-bb/variables.tf
@@ -0,0 +1,16 @@
+variable "key_vault_name" {
+  type        = string
+  nullable    = false
+  description = "The name of the key vault."
+}
+
+variable "key_vault_resource_group_name" {
+  type        = string
+  nullable    = false
+  description = "The name of the resource group containing the key vault."
+}
+
+variable "location" {
+  type        = string
+  description = "The location/region where the key vault is created."
+}
diff --git a/azure/terraform/key-vault-bb/versions.tf b/azure/terraform/key-vault-bb/versions.tf
new file mode 100644
index 0000000..e69de29