diff --git a/scripts/setup-azure-storage.sh b/scripts/setup-azure-storage.sh
new file mode 100644
index 0000000..5a5e262
--- /dev/null
+++ b/scripts/setup-azure-storage.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+environment=testnet
+TFSTATE_RESOURCE_GROUP_NAME=tfstate-$environment
+TFSTATE_STORAGE_ACCOUNT_NAME=tfstate$RANDOM$environment
+TFSTATE_BLOB_CONTAINER_NAME=tfstate-$environment
+
+az group create -n $TFSTATE_RESOURCE_GROUP_NAME -l eastus
+az storage account create -g $TFSTATE_RESOURCE_GROUP_NAME -n $TFSTATE_STORAGE_ACCOUNT_NAME --sku Standard_LRS --encryption-services blob
+TFSTATE_STORAGE_ACCOUNT_KEY=$(az storage account keys list -g $TFSTATE_RESOURCE_GROUP_NAME --account-name $TFSTATE_STORAGE_ACCOUNT_NAME --query [0].value -o tsv)
+az storage container create -n $TFSTATE_BLOB_CONTAINER_NAME --account-name $TFSTATE_STORAGE_ACCOUNT_NAME --account-key $TFSTATE_STORAGE_ACCOUNT_KEY
+
+az group lock create --lock-type CanNotDelete -n CanNotDelete -g $TFSTATE_RESOURCE_GROUP_NAME
+
diff --git a/scripts/setup-rbac.sh b/scripts/setup-rbac.sh
new file mode 100644
index 0000000..e1c5012
--- /dev/null
+++ b/scripts/setup-rbac.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+
+environment=testnet
+spName=tf-sp-$environment
+TENANT_ID=$(az account show --query tenantId -o tsv)
+SUBSCRIPTION_ID=$(az account show --query id -o tsv)
+
+TF_SP_SECRET=$(az ad sp create-for-rbac -n $spName --role Contributor --query password -o tsv)
+TF_SP_ID=$(az ad sp list --display-name $spName --query [0].appId -o tsv)