diff --git a/api/v1alpha2/terraform_types.go b/api/v1alpha2/terraform_types.go
index 9998bda2b..1bc5e2130 100644
--- a/api/v1alpha2/terraform_types.go
+++ b/api/v1alpha2/terraform_types.go
@@ -227,6 +227,10 @@ type TerraformSpec struct {
 	// +optional
 	TFState *TFStateSpec `json:"tfstate,omitempty"`
 
+	// annotations to add to the tfstate secret
+	// +optional
+	TFStateAnnotations map[string]string `json:"tfstateAnnotations,omitempty"`
+
 	// Targets specify the resource, module or collection of resources to target.
 	// +optional
 	Targets []string `json:"targets,omitempty"`
diff --git a/api/v1alpha2/zz_generated.deepcopy.go b/api/v1alpha2/zz_generated.deepcopy.go
index 680f75402..61b594f24 100644
--- a/api/v1alpha2/zz_generated.deepcopy.go
+++ b/api/v1alpha2/zz_generated.deepcopy.go
@@ -572,6 +572,13 @@ func (in *TerraformSpec) DeepCopyInto(out *TerraformSpec) {
 		*out = new(TFStateSpec)
 		**out = **in
 	}
+	if in.TFStateAnnotations != nil {
+		in, out := &in.TFStateAnnotations, &out.TFStateAnnotations
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
 	if in.Targets != nil {
 		in, out := &in.Targets, &out.Targets
 		*out = make([]string, len(*in))
diff --git a/charts/tofu-controller/crds/crds.yaml b/charts/tofu-controller/crds/crds.yaml
index 2f6cd7245..b8a87bf48 100644
--- a/charts/tofu-controller/crds/crds.yaml
+++ b/charts/tofu-controller/crds/crds.yaml
@@ -10441,6 +10441,11 @@ spec:
                       Defaults to `0s` which will behave as though `LockTimeout` was not set
                     type: string
                 type: object
+              tfstateAnnotations:
+                additionalProperties:
+                  type: string
+                description: annotations to add to the tfstate secret
+                type: object
               values:
                 description: |-
                   Values map to the Terraform variable "values", which is an object of arbitrary values.
diff --git a/config/crd/bases/infra.contrib.fluxcd.io_terraforms.yaml b/config/crd/bases/infra.contrib.fluxcd.io_terraforms.yaml
index 2f6cd7245..b8a87bf48 100644
--- a/config/crd/bases/infra.contrib.fluxcd.io_terraforms.yaml
+++ b/config/crd/bases/infra.contrib.fluxcd.io_terraforms.yaml
@@ -10441,6 +10441,11 @@ spec:
                       Defaults to `0s` which will behave as though `LockTimeout` was not set
                     type: string
                 type: object
+              tfstateAnnotations:
+                additionalProperties:
+                  type: string
+                description: annotations to add to the tfstate secret
+                type: object
               values:
                 description: |-
                   Values map to the Terraform variable "values", which is an object of arbitrary values.
diff --git a/controllers/tf_controller.go b/controllers/tf_controller.go
index a6ee7ef6e..9b5f4642b 100644
--- a/controllers/tf_controller.go
+++ b/controllers/tf_controller.go
@@ -816,6 +816,38 @@ func (r *TerraformReconciler) patchStatus(ctx context.Context, objectKey types.N
 	return r.Status().Patch(ctx, &terraform, patch, statusOpts)
 }
 
+func (r *TerraformReconciler) patchAnnotationsToTfstateSecret(ctx context.Context, terraform infrav1.Terraform) error {
+	if len(terraform.Spec.TFStateAnnotations) == 0 {
+		// skip if no annotations are provided
+		return nil
+	}
+	secretSuffix := terraform.Name
+	if terraform.Spec.BackendConfig != nil && terraform.Spec.BackendConfig.SecretSuffix != "" {
+		secretSuffix = terraform.Spec.BackendConfig.SecretSuffix
+	}
+
+	secret := &corev1.Secret{}
+	err := r.Client.Get(ctx, types.NamespacedName{
+		Namespace: terraform.Namespace,
+		Name:      fmt.Sprintf(`tfstate-%s-%s`, terraform.WorkspaceName(), secretSuffix),
+	}, secret)
+	if err != nil {
+		return err
+	}
+
+	// set annotations to the secret
+	for key, value := range terraform.Spec.TFStateAnnotations {
+		secret.Annotations[key] = value
+	}
+
+	err = r.Client.Update(ctx, secret)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
 func (r *TerraformReconciler) IndexBy(kind string) func(o client.Object) []string {
 	return func(o client.Object) []string {
 		terraform, ok := o.(*infrav1.Terraform)
diff --git a/controllers/tf_controller_reconcile.go b/controllers/tf_controller_reconcile.go
index 11f6a1c27..6c7aec9b7 100644
--- a/controllers/tf_controller_reconcile.go
+++ b/controllers/tf_controller_reconcile.go
@@ -206,6 +206,11 @@ func (r *TerraformReconciler) reconcile(ctx context.Context, runnerClient runner
 			return &terraform, err
 		}
 
+		if err := r.patchAnnotationsToTfstateSecret(ctx, terraform); err != nil {
+			log.Error(err, "unable to set annotations to tfstate secret")
+			// not a critical error, continue
+		}
+
 		if err := r.patchStatus(ctx, objectKey, terraform.Status); err != nil {
 			log.Error(err, "unable to update status after applying")
 			return &terraform, err
diff --git a/docs/References/terraform.md b/docs/References/terraform.md
index b447fe30a..8f0dc5944 100644
--- a/docs/References/terraform.md
+++ b/docs/References/terraform.md
@@ -1789,6 +1789,18 @@ TFStateSpec
 </tr>
 <tr>
 <td>
+<code>tfstateAnnotations</code><br>
+<em>
+map[string]string
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>annotations to add to the tfstate secret</p>
+</td>
+</tr>
+<tr>
+<td>
 <code>targets</code><br>
 <em>
 []string
@@ -2352,6 +2364,18 @@ TFStateSpec
 </tr>
 <tr>
 <td>
+<code>tfstateAnnotations</code><br>
+<em>
+map[string]string
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>annotations to add to the tfstate secret</p>
+</td>
+</tr>
+<tr>
+<td>
 <code>targets</code><br>
 <em>
 []string