diff --git a/.github/workflows/documentation.yml b/.github/workflows/documentation.yml
new file mode 100644
index 0000000..0bebeec
--- /dev/null
+++ b/.github/workflows/documentation.yml
@@ -0,0 +1,25 @@
+name: Generate Terraform README docs
+on:
+  workflow_dispatch:
+  pull_request:
+    branches:
+      - main
+    paths:
+      - '**.md'
+      - '.github/workflows/documentation.yml'
+
+jobs:
+  docs:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+      with:
+        ref: ${{ github.event.pull_request.head.ref }}
+
+    - name: Render terraform docs and push changes back to PR
+      uses: terraform-docs/gh-actions@v0.10.0
+      with:
+        working-dir: .
+        output-file: README.md
+        output-method: inject
+        git-push: "true"
diff --git a/.github/workflows/terraform-static-analysis.yml b/.github/workflows/terraform-static-analysis.yml
new file mode 100644
index 0000000..243eab5
--- /dev/null
+++ b/.github/workflows/terraform-static-analysis.yml
@@ -0,0 +1,47 @@
+name: Terraform Static Code Analysis
+
+on:
+  workflow_dispatch:
+  pull_request:
+    branches:
+      - main
+    paths:
+      - '**.tf'
+      - '.github/workflows/terraform-static-analysis.yml'
+
+jobs:
+  terraform-static-analysis:
+    name: Terraform Static Analysis
+    runs-on: ubuntu-latest
+    if: github.event_name != 'workflow_dispatch'
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v2.3.4
+      with:
+        fetch-depth: 0
+    - name: Run Analysis
+      uses: ministryofjustice/github-actions/terraform-static-analysis@main
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      with:
+        scan_type: single
+        tfsec_exclude: AWS089, AWS099, AWS009, AWS097, AWS018
+        checkov_exclude: CKV_GIT_1
+
+  terraform-static-analysis-full-scan:
+    name: Terraform Static Analysis - scan all directories
+    runs-on: ubuntu-latest
+    if: github.event_name == 'workflow_dispatch'
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v2.3.4
+      with:
+        fetch-depth: 0
+    - name: Run Analysis
+      uses: ministryofjustice/github-actions/terraform-static-analysis@main
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      with:
+        scan_type: full
+        tfsec_exclude: AWS089, AWS099, AWS009, AWS097, AWS018
+        checkov_exclude: CKV_GIT_1
diff --git a/README.md b/README.md
index 0826d50..5dbd469 100644
--- a/README.md
+++ b/README.md
@@ -1,15 +1,61 @@
-# Ministry of Justice Template Repository
+## Usage
 
-Use this template to [create a repository] with the default initial files for a Ministry of Justice Github repository, including:
+```hcl
 
-* The correct LICENSE
-* Github actions
-* .gitignore file
+module "vm-import" {
 
-Once you have created your repository, please:
+  source = "github.com/ministryofjustice/modernisation-platform-terraform-aws-vm-import"
 
-* Edit the copy of this README.md file to document your project
-* Grant permissions to the appropriate MoJ teams
-* Setup branch protection
+  bucket_prefix    = local.application_data.accounts[local.environment].bucket_prefix
+  tags             = local.tags
+  application_name = local.application_name
 
-[create a repository]: https://github.com/ministryofjustice/template-repository/generate
+}
+
+```
+<!--- BEGIN_TF_DOCS --->
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0.1 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 3.47.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 3.47.0 |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_s3-bucket"></a> [s3-bucket](#module\_s3-bucket) | git::https://github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket | v4.0.0 |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_iam_policy.vmimport-policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_role.vmimport](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource |
+| [aws_iam_role_policy_attachment.vmimport_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_policy_document.vmimport-trust-policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_account_number"></a> [account\_number](#input\_account\_number) | Account number of current environment | `string` | n/a | yes |
+| <a name="input_application_name"></a> [application\_name](#input\_application\_name) | Name of application | `string` | n/a | yes |
+| <a name="input_bucket_prefix"></a> [bucket\_prefix](#input\_bucket\_prefix) | Prefix for s3 bucket | `string` | n/a | yes |
+| <a name="input_tags"></a> [tags](#input\_tags) | Common tags to be used by all resources | `map(string)` | n/a | yes |
+
+## Outputs
+
+No outputs.
+
+<!--- END_TF_DOCS --->
+
+## Looking for issues?
+If you're looking to raise an issue with this module, please create a new issue in the [Modernisation Platform repository](https://github.com/ministryofjustice/modernisation-platform/issues).
diff --git a/main.tf b/main.tf
new file mode 100644
index 0000000..cdbfbc1
--- /dev/null
+++ b/main.tf
@@ -0,0 +1,120 @@
+module "s3-bucket" {
+  source = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v4.0.0"
+
+  providers = {
+    aws.bucket-replication = aws.bucket-replication
+  }
+  bucket_prefix       = var.bucket_prefix
+  replication_enabled = false
+
+  lifecycle_rule = [
+    {
+      id      = "main"
+      enabled = true
+      prefix  = ""
+
+      tags = {
+        rule      = "log"
+        autoclean = "true"
+      }
+
+      transition = [
+        {
+          days          = 90
+          storage_class = "STANDARD_IA"
+          }, {
+          days          = 365
+          storage_class = "GLACIER"
+        }
+      ]
+
+      expiration = {
+        days = 730
+      }
+
+      noncurrent_version_transition = [
+        {
+          days          = 90
+          storage_class = "STANDARD_IA"
+          }, {
+          days          = 365
+          storage_class = "GLACIER"
+        }
+      ]
+
+      noncurrent_version_expiration = {
+        days = 730
+      }
+    }
+  ]
+
+  tags = var.tags
+}
+
+resource "aws_iam_role" "vmimport" {
+  name               = "vmimport"
+  assume_role_policy = data.aws_iam_policy_document.vmimport-trust-policy.json
+  tags = merge(
+    var.tags,
+    {
+      Name = "${var.application_name}-vmimport-role"
+    }
+  )
+}
+
+data "aws_iam_policy_document" "vmimport-trust-policy" {
+  version = "2012-10-17"
+  statement {
+    sid    = ""
+    effect = "Allow"
+    actions = [
+      "sts:AssumeRole",
+    ]
+    principals {
+      type = "Service"
+      identifiers = [
+        "vmie.amazonaws.com"
+      ]
+    }
+  }
+}
+
+resource "aws_iam_policy" "vmimport-policy" {
+  name   = "${var.application_name}-vmimport-policy"
+  policy = <<EOF
+{
+  "Version":"2012-10-17",
+   "Statement":[
+      {
+         "Effect": "Allow",
+         "Action": [
+            "s3:GetBucketLocation",
+            "s3:GetObject",
+            "s3:ListBucket",
+            "s3:PutObject",
+            "s3:GetBucketAcl"
+         ],
+         "Resource": [
+            "${module.s3-bucket.bucket.arn}",
+            "${module.s3-bucket.bucket.arn}/*"
+         ]
+      },
+      {
+         "Effect": "Allow",
+         "Action": [
+            "ec2:ModifySnapshotAttribute",
+            "ec2:CopySnapshot",
+            "ec2:RegisterImage",
+            "ec2:Describe*"
+         ],
+         "Resource": "*"
+      }
+   ]
+}
+EOF
+}
+
+resource "aws_iam_role_policy_attachment" "vmimport_policy_attachment" {
+  role       = aws_iam_role.vmimport.name
+  policy_arn = aws_iam_policy.vmimport-policy.arn
+}
diff --git a/outputs.tf b/outputs.tf
new file mode 100644
index 0000000..e69de29
diff --git a/providers.tf b/providers.tf
new file mode 100644
index 0000000..4c0b4f7
--- /dev/null
+++ b/providers.tf
@@ -0,0 +1,7 @@
+provider "aws" {
+  alias  = "bucket-replication"
+  region = "eu-west-2"
+  assume_role {
+    role_arn = "arn:aws:iam::${var.account_number}:role/MemberInfrastructureAccess"
+  }
+}
diff --git a/variables.tf b/variables.tf
new file mode 100644
index 0000000..a199a2b
--- /dev/null
+++ b/variables.tf
@@ -0,0 +1,16 @@
+variable "bucket_prefix" {
+  type        = string
+  description = "Prefix for s3 bucket"
+}
+variable "account_number" {
+  type        = string
+  description = "Account number of current environment"
+}
+variable "tags" {
+  type        = map(string)
+  description = "Common tags to be used by all resources"
+}
+variable "application_name" {
+  type        = string
+  description = "Name of application"
+}
diff --git a/versions.tf b/versions.tf
new file mode 100644
index 0000000..812a9f5
--- /dev/null
+++ b/versions.tf
@@ -0,0 +1,9 @@
+terraform {
+  required_providers {
+    aws = {
+      version = ">= 3.47.0"
+      source  = "hashicorp/aws"
+    }
+  }
+  required_version = ">= 1.0.1"
+}