diff --git a/helm/cas-ciip-portal/terraform/main.tf b/helm/cas-ciip-portal/terraform/main.tf
new file mode 100644
index 000000000..2629873e5
--- /dev/null
+++ b/helm/cas-ciip-portal/terraform/main.tf
@@ -0,0 +1,99 @@
+terraform {
+  required_version = ">=1.4.6"
+
+  required_providers {
+    kubernetes = {
+      source  = "hashicorp/kubernetes"
+      version = "~> 2.23"
+    }
+    google = {
+      source  = "hashicorp/google"
+      version = "~> 5.2.0"
+    }
+  }
+
+  backend "gcs" {}
+}
+
+# Configure OCP infrastructure to setup the host and authentication token
+provider "kubernetes" {
+  host  = var.kubernetes_host
+  token = var.kubernetes_token
+}
+
+# Configure GCP infrastructure to setup the credentials, default project and location (zone and/or region) for your resources
+provider "google" {
+  project = var.project_id
+  region  = local.region
+  credentials = "/Users/jolarouc/Repositories/cas-cif/.scratch/credentials.json"
+}
+
+# Create GCS buckets
+resource "google_storage_bucket" "bucket" {
+  for_each = { for v in var.apps : v => v }
+  name     = "${var.openshift_namespace}-${each.value}"
+  location = local.region
+}
+
+# Create GCP service accounts for each GCS bucket
+resource "google_service_account" "account" {
+  for_each     = { for v in var.apps : v => v }
+  account_id   = "sa-${var.openshift_namespace}-${each.value}"
+  display_name = "${var.openshift_namespace}-${each.value} Service Account"
+  depends_on   = [google_storage_bucket.bucket]
+}
+
+# Assign Storage Admin role for the corresponding service accounts
+resource "google_storage_bucket_iam_member" "admin" {
+  for_each   = { for v in var.apps : v => v }
+  bucket     = "${var.openshift_namespace}-${each.value}"
+  role       = "roles/storage.admin"
+  member     = "serviceAccount:${google_service_account.account[each.key].email}"
+  depends_on = [google_service_account.account]
+}
+
+# Create viewer GCP service accounts for each GCS bucket
+resource "google_service_account" "viewer_account" {
+  for_each     = { for v in var.apps : v => v }
+  account_id   = "ro-${var.openshift_namespace}-${each.value}"
+  display_name = "${var.openshift_namespace}-${each.value} Viewer Service Account"
+  depends_on   = [google_storage_bucket.bucket]
+}
+
+# Assign (manually created) Storage Viewer role for the corresponding service accounts
+resource "google_storage_bucket_iam_member" "viewer" {
+  for_each   = { for v in var.apps : v => v }
+  bucket     = "${var.openshift_namespace}-${each.value}"
+  role       = "projects/${var.project_id}/roles/${var.iam_storage_role_template_id}"
+  member     = "serviceAccount:${google_service_account.viewer_account[each.key].email}"
+  depends_on = [google_service_account.viewer_account]
+}
+
+# Create keys for the service accounts
+resource "google_service_account_key" "key" {
+  for_each           = { for v in var.apps : v => v }
+  service_account_id = google_service_account.account[each.key].name
+}
+
+# Create keys for the viewer service accounts
+resource "google_service_account_key" "viewer_key" {
+  for_each           = { for v in var.apps : v => v }
+  service_account_id = google_service_account.viewer_account[each.key].name
+}
+
+resource "kubernetes_secret" "secret_sa" {
+  for_each = { for v in var.apps : v => v }
+  metadata {
+    name      = "gcp-${var.openshift_namespace}-${each.value}-service-account-key"
+    namespace = var.openshift_namespace
+    labels = {
+      created-by = "Terraform"
+    }
+  }
+
+  data = {
+    "bucket_name"             = "${var.openshift_namespace}-${each.value}"
+    "credentials.json"        = base64decode(google_service_account_key.key[each.key].private_key)
+    "viewer_credentials.json" = base64decode(google_service_account_key.viewer_key[each.key].private_key)
+  }
+}
diff --git a/helm/cas-ciip-portal/terraform/variables.tf b/helm/cas-ciip-portal/terraform/variables.tf
new file mode 100644
index 000000000..d1919e69a
--- /dev/null
+++ b/helm/cas-ciip-portal/terraform/variables.tf
@@ -0,0 +1,33 @@
+# Since variables could be overridden via environment variables, use local values to define immutable values
+locals {
+  # The GCP region to create things in. https://cloud.google.com/compute/docs/regions-zones"
+  region = "northamerica-northeast1" # Montreal
+}
+
+variable "project_id" {
+  description = "The ID of the GCP project"
+}
+
+variable "kubernetes_host" {
+  description = "The hostname of the OCP cluster"
+}
+
+variable "kubernetes_token" {
+  description = "The authentication token of the OCP cluster"
+}
+
+variable "apps" {
+  type        = list(string)
+  description = "The list of app names for the OCP project in a namespace"
+}
+
+variable "openshift_namespace" {
+  type        = string
+  description = "The OCP project namespace"
+}
+
+variable "iam_storage_role_template_id" {
+  type        = string
+  description = "ID for a custom IAM role template we manually created in GCP for Storage Viewers"
+  default     = "casStorageViewer"
+}