diff --git a/infrastructure/terraform/README.md b/infrastructure/terraform/README.md
index 84d0d5bc..8f5e2ced 100644
--- a/infrastructure/terraform/README.md
+++ b/infrastructure/terraform/README.md
@@ -67,3 +67,20 @@ terraform workspace select prod
 ```
 
 Remember to update your variables file accordingly when planning and applying changes (`-var-file=prod.tfvars` for production, for example).
+
+## Future TODOS
+
+- At the moment, the database is publicly accessible. We could add an inbound rule to a security group to restrict access to the ip of the vercel application in prod which would look something like this:
+
+```
+resource "aws_security_group_rule" "allow_specific_ip" {
+    type = "ingress"
+    from_port = 5432
+    to_port = 5432
+    protocol = "tcp"
+    cidr_blocks = ["your.vercel.app.ip.address/32"]
+    security_group_id = aws_db_instance.default.vpc_security_group_ids[0]
+}
+```
+
+- Set up prod!