diff --git a/multi-arch-builders/coreos-x86_64-builder.bu b/multi-arch-builders/coreos-x86_64-builder.bu
index 88f2e63e4..b71aaac0d 100644
--- a/multi-arch-builders/coreos-x86_64-builder.bu
+++ b/multi-arch-builders/coreos-x86_64-builder.bu
@@ -6,10 +6,6 @@
 #
 variant: fcos
 version: 1.4.0
-ignition:
-  config:
-    merge:
-      - local: builder-common.ign
 passwd:
   users:
     - name: builder
diff --git a/multi-arch-builders/provisioning/x86_64/README.md b/multi-arch-builders/provisioning/x86_64/README.md
new file mode 100644
index 000000000..1d7bf06ce
--- /dev/null
+++ b/multi-arch-builders/provisioning/x86_64/README.md
@@ -0,0 +1,94 @@
+# OpenTofu
+
+ OpenTofu is a Terraform fork, is an open-source infrastructure as code (IaC) tool
+ lets you define both cloud and on-prem resources in human-readable configuration files
+ that you can version, reuse, and share.
+
+ To proceed with the next steps, ensure that 'tofu' is installed on your system.
+ See: https://github.com/opentofu/opentofu/releases
+
+## Before starting
+
+### AWS credentials
+
+```bash
+# Add your credentials to the environment.
+# Be aware for x86_64 the region is us-east-2
+HISTCONTROL='ignoreboth'
+ export AWS_DEFAULT_REGION=us-east-2
+ export AWS_ACCESS_KEY_ID=XXXX
+ export AWS_SECRET_ACCESS_KEY=YYYYYYYY
+```
+
+Make sure your AMI user has access to this policies:
+
+```json
+{
+	"Version": "2012-10-17",
+	"Statement": [
+		{
+			"Effect": "Allow",
+			"Action": "ec2:*",
+			"Resource": "*"
+		}
+	]
+}
+```
+
+### TF vars via environment variables
+
+If you'd like to override the target distro (defaults to `fcos`) you
+can:
+
+```
+export TF_VAR_distro=rhcos
+```
+
+If you are deploying RHCOS you'll need to define variables for splunk configuration:
+
+```
+export TF_VAR_splunk_hostname=...
+export TF_VAR_splunk_sidecar_repo=...
+export TF_VAR_itpaas_splunk_repo=...
+```
+
+## Running tofu
+```bash
+   # To begin using it, run 'init' within this directory.
+   tofu init
+   # If you don't intend to make any changes to the code, simply run it:
+   tofu apply
+   # If you plan to make changes to the code as modules/plugins, go ahead and run it:
+   tofu init -upgrade
+   # To destroy it run:
+   tofu destroy -target aws_instance.coreos-x86_64-builder
+```
+## Generating additional resources with unique names
+
+When rerunning the Tofu configuration any changes will be
+applied to the existing resources. If you intend to add a new
+resource with a different name, please be aware that TOFU doesn't
+support interpolation in resource names.
+
+To achieve this, you'll need to manually edit the resource name
+in the Tofu configuration.
+
+```
+resource "aws_instance" "coreos-x86_64-builder"
+```
+Make sure the resource name is unique, in this case
+if I already have a resource named `coreos-x86_64-builder`,
+I need to change it to `coreos-x86_64-devel-builder` for example.
+
+I may also want to update the project var:
+
+```
+variable "project" {
+ type    = string
+ default = "coreos-x86_64-devel-builder"
+}
+```
+
+After it, I can rerun `tofu apply`.
+
+The same is validated to all resources types.
diff --git a/multi-arch-builders/provisioning/x86_64/main.tf b/multi-arch-builders/provisioning/x86_64/main.tf
new file mode 100644
index 000000000..03b6f5173
--- /dev/null
+++ b/multi-arch-builders/provisioning/x86_64/main.tf
@@ -0,0 +1,138 @@
+terraform {
+  required_providers {
+    ct = {
+      source  = "poseidon/ct"
+      version = "0.13.0"
+    }
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5.0"
+    }
+    http = {
+      source  = "hashicorp/http"
+      version = "2.1.0"
+    }
+  }
+}
+
+provider "aws" {}
+provider "ct" {}
+provider "http" {}
+
+variable "project" {
+ type    = string
+ default = "coreos-x86_64-builder"
+}
+
+# Which distro are we deploying a builder for? Override the
+# default by setting the env var: TF_VAR_distro=rhcos
+variable "distro" {
+ type    = string
+ default = "fcos"
+}
+check "health_check_distro" {
+  assert {
+    condition = anytrue([
+                    var.distro == "fcos",
+                    var.distro == "rhcos"
+                    ])
+    error_message = "Distro must be 'fcos' or 'rhcos'"
+  }
+}
+
+# Variables used for splunk deployment, which is only
+# for RHCOS builders. Define them in the environment with:
+# export TF_VAR_splunk_hostname=...
+# export TF_VAR_splunk_sidecar_repo=...
+# export TF_VAR_itpaas_splunk_repo=...
+variable "splunk_hostname" {
+ type    = string
+ default = ""
+}
+variable "splunk_sidecar_repo" {
+ type    = string
+ default = ""
+}
+variable "itpaas_splunk_repo" {
+ type    = string
+ default = ""
+}
+# Check that if we are deploying a RHCOS builder the splunk
+# variables have been defined.
+check "health_check_rhcos_splunk_vars" {
+  assert {
+    condition = !(var.distro == "rhcos" && anytrue([
+                        var.splunk_hostname == "",
+                        var.splunk_sidecar_repo == ""
+                    ]))
+    error_message = "Must define splunk env vars for RCHOS builders"
+  }
+}
+
+locals {
+    fcos_snippets = [
+      file("../../coreos-x86_64-builder.bu"),
+    ]
+    rhcos_snippets = [
+      file("../../coreos-x86_64-builder.bu"),
+      templatefile("../../builder-splunk.bu", {
+        SPLUNK_HOSTNAME = var.splunk_hostname
+        SPLUNK_SIDECAR_REPO = var.splunk_sidecar_repo
+      })
+    ]
+}
+data "ct_config" "butane" {
+  strict = true
+  content = file("../../builder-common.bu")
+  snippets = var.distro == "rhcos" ? local.rhcos_snippets : local.fcos_snippets
+}
+
+data "aws_region" "aws_region" {}
+
+# Gather information about the AWS image for the current region
+data "http" "stream_metadata" {
+  url = "https://builds.coreos.fedoraproject.org/streams/stable.json"
+
+  request_headers = {
+    Accept = "application/json"
+  }
+}
+# Lookup the x86_64 AWS image for the current AWS region
+locals {
+  ami = lookup(jsondecode(data.http.stream_metadata.body).architectures.x86_64.images.aws.regions, data.aws_region.aws_region.name).image
+}
+
+variable "rhcos_aws_vpc_prod" {
+  description = "RHCOS Prod US East 2"
+  default = "vpc-0e33d95334e362c7e"
+}
+variable "rhcos_aws_subnet_internal" {
+  description = "RHCOS Prod US East 2 subnet"
+  default = "subnet-02014b5e587d01fd2"
+}
+# If we are RHCOS we'll be using an already existing VPC/subnet rather
+# than the newly created one.
+locals {
+  aws_vpc_id = var.distro == "rhcos" ? var.rhcos_aws_vpc_prod : aws_vpc.vpc[0].id
+  aws_subnet_id = var.distro == "rhcos" ? var.rhcos_aws_subnet_internal : aws_subnet.private_subnets[0].id
+}
+
+resource "aws_instance" "coreos-x86_64-builder" {
+  tags = {
+    Name = "${var.project}-${formatdate("YYYYMMDD", timestamp())}"
+  }
+  ami           = local.ami
+  user_data     = data.ct_config.butane.rendered
+  instance_type = "t2.medium"
+  vpc_security_group_ids = [aws_security_group.sg.id]
+  subnet_id              = local.aws_subnet_id
+  root_block_device {
+      volume_size = "50"
+      volume_type = "gp3"
+  }
+  associate_public_ip_address = var.distro == "fcos" ? "true" : "false"
+}
+
+output "instance_ip_addr" {
+  value = var.distro == "rhcos" ? aws_instance.coreos-x86_64-builder.private_ip : aws_instance.coreos-x86_64-builder.public_ip
+}
diff --git a/multi-arch-builders/provisioning/x86_64/networks.tf b/multi-arch-builders/provisioning/x86_64/networks.tf
new file mode 100644
index 000000000..d18df5286
--- /dev/null
+++ b/multi-arch-builders/provisioning/x86_64/networks.tf
@@ -0,0 +1,50 @@
+resource "aws_vpc" "vpc" {
+  count = var.distro == "fcos" ? 1 : 0
+  cidr_block           = "172.31.0.0/16"
+  tags = {
+    Name = "${var.project}-vpc"
+  }
+}
+
+resource "aws_internet_gateway" "gw" {
+  count = var.distro == "fcos" ? 1 : 0
+  vpc_id   = aws_vpc.vpc[0].id
+}
+
+data "aws_availability_zones" "azs" {
+  state    = "available"
+}
+
+variable "private_subnet_cidrs" {
+ type        = list(string)
+ description = "Private Subnet CIDR values"
+ default     = ["172.31.1.0/24", "172.31.2.0/24", "172.31.3.0/24", "172.31.4.0/24", "172.31.5.0/24", "172.31.6.0/24", "172.31.7.0/24", "172.31.8.0/24"]
+}
+
+resource "aws_subnet" "private_subnets" {
+ count      = var.distro == "fcos" ? length(data.aws_availability_zones.azs.names) : 0
+ vpc_id     = aws_vpc.vpc[0].id
+ cidr_block = element(var.private_subnet_cidrs, count.index)
+ availability_zone = element(data.aws_availability_zones.azs.names, count.index)
+ tags = {
+   Name = "${var.project}-private-subnet-${count.index + 1}"
+ }
+}
+
+resource "aws_route_table" "internet_route" {
+  count = var.distro == "fcos" ? 1 : 0
+  vpc_id   = aws_vpc.vpc[0].id
+  route {
+    cidr_block = "0.0.0.0/0"
+    gateway_id = aws_internet_gateway.gw[0].id
+  }
+  tags = {
+    Name = "${var.project}-ig"
+  }
+}
+
+resource "aws_main_route_table_association" "public-set-main-default-rt-assoc" {
+  count = var.distro == "fcos" ? 1 : 0
+  vpc_id         = aws_vpc.vpc[0].id
+  route_table_id = aws_route_table.internet_route[0].id
+}
diff --git a/multi-arch-builders/provisioning/x86_64/security-groups.tf b/multi-arch-builders/provisioning/x86_64/security-groups.tf
new file mode 100644
index 000000000..f869ca194
--- /dev/null
+++ b/multi-arch-builders/provisioning/x86_64/security-groups.tf
@@ -0,0 +1,24 @@
+resource "aws_security_group" "sg" {
+  name        = "${var.project}-security-group"
+  description = "Allow SSH inbound traffic only"
+  vpc_id      = local.aws_vpc_id
+
+  ingress {
+    description = "SSH access"
+    from_port   = 22
+    to_port     = 22
+    protocol    = "tcp"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+
+  tags = {
+    Name = "${var.project}-security-group"
+  }
+}