diff --git a/terraform/modules/bucket/main.tf b/terraform/modules/bucket/main.tf
index f8e7b9d7..a92dc84f 100644
--- a/terraform/modules/bucket/main.tf
+++ b/terraform/modules/bucket/main.tf
@@ -13,7 +13,7 @@ resource "azurerm_storage_account" "bucket" {
   network_rules {
     default_action             = var.policy
     virtual_network_subnet_ids = var.subnet_ids
-    #ip_rules = ["66.220.238.246/30"]
+    ip_rules                   = values(var.whitelist)
   }
 }
 
diff --git a/terraform/modules/bucket/variables.tf b/terraform/modules/bucket/variables.tf
index 7b2ae300..82367ed7 100644
--- a/terraform/modules/bucket/variables.tf
+++ b/terraform/modules/bucket/variables.tf
@@ -40,3 +40,9 @@ variable "policy" {
   default     = "Deny"
   type        = string
 }
+
+variable "whitelist" {
+  type        = map
+  description = "A map of whitelisted IPs and CIDR ranges. For single IPs, Azure expects just the IP, NOT a /32."
+  default     = {}
+}
diff --git a/terraform/providers/dev/buckets.tf b/terraform/providers/dev/buckets.tf
index d798214f..ad2c7ab5 100644
--- a/terraform/providers/dev/buckets.tf
+++ b/terraform/providers/dev/buckets.tf
@@ -1,3 +1,5 @@
+# Task order bucket is required to be accessible publicly by the users.
+# which is why the policy here is "Allow"
 module "task_order_bucket" {
   source       = "../../modules/bucket"
   service_name = "jeditasksatat"
@@ -5,10 +7,15 @@ module "task_order_bucket" {
   name         = var.name
   environment  = var.environment
   region       = var.region
-  policy       = "Deny"
+  policy       = "Allow"
   subnet_ids   = [module.vpc.subnets]
+  whitelist    = var.admin_user_whitelist
 }
 
+# TF State should be restricted to admins only, but IP protected
+# This has to be public due to a chicken/egg issue of VPN not 
+# existing until TF is run. If this bucket is private, you would
+# not be able to access it when running TF without being on a VPN.
 module "tf_state" {
   source       = "../../modules/bucket"
   service_name = "jedidevtfstate"
@@ -16,6 +23,7 @@ module "tf_state" {
   name         = var.name
   environment  = var.environment
   region       = var.region
-  policy       = "Allow"
+  policy       = "Deny"
   subnet_ids   = []
+  whitelist    = var.admin_user_whitelist
 }
diff --git a/terraform/providers/dev/variables.tf b/terraform/providers/dev/variables.tf
index fc3afa30..573b6cc9 100644
--- a/terraform/providers/dev/variables.tf
+++ b/terraform/providers/dev/variables.tf
@@ -87,3 +87,10 @@ variable "admin_users" {
     "Dan Corrigan" = "7e852ceb-eb0d-49b1-b71e-e9dcd1082ffc"
   }
 }
+
+variable "admin_user_whitelist" {
+  type = map
+  default = {
+    "Rob Gil" = "66.220.238.246"
+  }
+}