diff --git a/code/infra/appconfiguration.tf b/code/infra/appconfiguration.tf
new file mode 100644
index 0000000..c16372b
--- /dev/null
+++ b/code/infra/appconfiguration.tf
@@ -0,0 +1,14 @@
+resource "azurerm_app_configuration" "app_configuration" {
+  name                = "${local.prefix}-appcs001"
+  location            = var.location
+  resource_group_name = azurerm_resource_group.app_rg.name
+  tags                = var.tags
+  identity {
+    type = "SystemAssigned"
+  }
+
+  local_auth_enabled       = false
+  public_network_access    = "Enabled"
+  purge_protection_enabled = true
+  sku                      = "standard"
+}
diff --git a/code/infra/roleassignments.tf b/code/infra/roleassignments.tf
index ba7b169..261d816 100644
--- a/code/infra/roleassignments.tf
+++ b/code/infra/roleassignments.tf
@@ -1,9 +1,17 @@
+# Current role assignments
 resource "azurerm_role_assignment" "current_role_assignment_key_vault" {
   scope                = azurerm_key_vault.key_vault.id
   role_definition_name = "Key Vault Administrator"
   principal_id         = data.azurerm_client_config.current.object_id
 }
 
+resource "azurerm_role_assignment" "current_role_assignment_app_configuration" {
+  scope                = azurerm_app_configuration.app_configuration.id
+  role_definition_name = "App Configuration Data Owner"
+  principal_id         = data.azurerm_client_config.current.object_id
+}
+
+# Function role assignments
 resource "azurerm_role_assignment" "function_role_assignment_storage_blob_data_owner" {
   scope                = azurerm_storage_account.storage.id
   role_definition_name = "Storage Blob Data Owner"
@@ -36,3 +44,16 @@ resource "azurerm_role_assignment" "function_role_assignment_key_vault" {
 #   role_definition_name = "Monitoring Metrics Publisher"
 #   principal_id         = azapi_resource.function.identity[0].principal_id
 # }
+
+resource "azurerm_role_assignment" "function_role_assignment_app_configuration" {
+  scope                = azurerm_app_configuration.app_configuration.id
+  role_definition_name = "App Configuration Data Reader"
+  principal_id         = azapi_resource.function.identity[0].principal_id
+}
+
+# App Configuration role assignments
+resource "azurerm_role_assignment" "app_configuration_role_assignment_key_vault" {
+  scope                = azurerm_key_vault.key_vault.id
+  role_definition_name = "Key Vault Secrets Reader"
+  principal_id         = azurerm_app_configuration.app_configuration.identity[0].principal_id
+}