diff --git a/aws/root-iam/install.sh b/aws/root-iam/install.sh
new file mode 100644
index 000000000..0601ea41d
--- /dev/null
+++ b/aws/root-iam/install.sh
@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+
+## Spaces before and after `backend` required to select right word, because `backend` appears 3 times in main.tf
+sed -Ei 's/^(\s+role_arn\s+)/#\1/' main.tf
+
+init-terraform
+echo "yes" | terraform apply
+
+sed -Ei 's/^#(\s+role_arn\s+)/\1/' main.tf
+
+echo "Root IAM Role provisioned"
diff --git a/aws/tfstate-backend/install.sh b/aws/tfstate-backend/install.sh
new file mode 100755
index 000000000..e3eb91cf2
--- /dev/null
+++ b/aws/tfstate-backend/install.sh
@@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+
+DISABLE_ROLE_ARN=${DISABLE_ROLE_ARN:-0}
+
+sed -Ei 's/^(\s+backend\s+)/#\1/' main.tf
+[ "${DISABLE_ROLE_ARN}" == "0" ] || sed -Ei 's/^(\s+role_arn\s+)/#\1/' main.tf
+
+init-terraform
+echo "yes" | terraform apply
+
+export TF_BUCKET=$(terraform output -json | jq -r .tfstate_backend_s3_bucket_id.value)
+export TF_DYNAMODB_TABLE=$(terraform output -json | jq -r .tfstate_backend_dynamodb_table_id.value)
+export TF_BUCKET_REGION=${TF_VAR_region}
+
+sed -Ei 's/^#(\s+backend\s+)/\1/' main.tf
+
+echo "yes" | init-terraform
+
+[ "${DISABLE_ROLE_ARN}" == "0" ] || sed -Ei 's/^#(\s+role_arn\s+)/\1/' main.tf
+
+echo "Add the following to the Geodesic Module's Dockerfile:"
+echo "#----------------------------------------------"
+echo "ENV TF_BUCKET=\"${TF_BUCKET}\""
+echo "ENV TF_BUCKET_REGION=\"${TF_BUCKET_REGION}\""
+echo "ENV TF_DYNAMODB_TABLE=\"${TF_DYNAMODB_TABLE}\""
+echo "#----------------------------------------------"
+echo "And rebuild the module"