diff --git a/ci.nix b/ci.nix
index c0f0f6b..1c09682 100644
--- a/ci.nix
+++ b/ci.nix
@@ -4,6 +4,7 @@
 }:
 let
   self = builtins.getFlake (toString ./.);
+  terraform = builtins.getFlake (toString ./terraform/.);
   inherit (self.inputs) nixpkgs;
   stripDomain = name: nixpkgs.lib.head (builtins.match "(.*).nix-community.org" name);
 in
@@ -12,4 +13,5 @@ in
   # FIXME: maybe find a more generic solution here?
   devShell-x86_64 = self.outputs.devShells.x86_64-linux.default;
   devShell-aarch64 = self.outputs.devShells.aarch64-linux.default;
+  devShell-terraform-x86_64 = terraform.outputs.devShells.x86_64-linux.default;
 } // self.outputs.checks.x86_64-linux # mainly for treefmt at the moment...
diff --git a/shell.nix b/shell.nix
index 5e52500..2a41db0 100644
--- a/shell.nix
+++ b/shell.nix
@@ -5,17 +5,6 @@
 with pkgs;
 mkShellNoCC {
   buildInputs = [
-    (terraform.withPlugins (
-      p: [
-        p.cloudflare
-        p.external
-        p.gandi
-        p.hydra
-        p.null
-        p.sops
-        p.tfe
-      ]
-    ))
     jq
     sops
     ssh-to-age
diff --git a/terraform/flake.lock b/terraform/flake.lock
new file mode 100644
index 0000000..fdb1766
--- /dev/null
+++ b/terraform/flake.lock
@@ -0,0 +1,27 @@
+{
+  "nodes": {
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1676795730,
+        "narHash": "sha256-X69A9BdcPTySJJ7DqS4wc8b6eqGKi32jCSyaBsz4WB0=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "efc59894b1ba73cb745676616c56c780383d6788",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable-small",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
diff --git a/terraform/flake.nix b/terraform/flake.nix
new file mode 100644
index 0000000..fc7016f
--- /dev/null
+++ b/terraform/flake.nix
@@ -0,0 +1,24 @@
+{
+  description = "terraform devshell";
+
+  inputs.nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable-small";
+
+  outputs = { nixpkgs, self }: {
+    devShells = nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" "x86_64-darwin" "aarch64-darwin" ]
+      (system: {
+        default = with nixpkgs.legacyPackages.${system}; mkShellNoCC {
+          packages = [
+            (terraform.withPlugins (p: [
+              p.cloudflare
+              p.external
+              p.gandi
+              p.hydra
+              p.null
+              p.sops
+              p.tfe
+            ]))
+          ];
+        };
+      });
+  };
+}