diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml
index d220f20..78f527e 100644
--- a/.github/workflows/terraform.yml
+++ b/.github/workflows/terraform.yml
@@ -4,6 +4,10 @@ defaults:
     working-directory: infrastructure
 name: Deploy
 on: [push, pull_request]
+permissions:
+  id-token: write
+  contents: read
+  pull-requests: write
 jobs:
   deploy-infrastructure:
     runs-on: ubuntu-latest
@@ -11,8 +15,29 @@ jobs:
       - uses: actions/checkout@v4
       - uses: hashicorp/setup-terraform@v3
 
-      - name: Prepare
-        run: |
-          terraform init
-          terraform plan
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          role-to-assume: ${{ secrets.AWS_OIDC_ASSUME_ROLE_ARN }}
+          aws-region: eu-central-1
+          role-session-name: GitHub-OIDC-TF
+
+      - name: Terraform Init
+        id: init
+        env:
+          AWS_BUCKET_NAME: ${{ secrets.AWS_STATE_BUCKET_NAME }}
+        run: terraform init --backend-config="bucket=${AWS_BUCKET_NAME}"
+      
+      - name: Terraform Validation
+        id: validate
+        run: terraform validate
+
+      - name: Terraform Plan
+        id: plan
+        #if: github.event.name == 'pull_request'
+        run: terraform plan
       
+      - name: Terraform Apply
+        id: apply
+        #if: github.ref == 'refs/head/main' && github.event_name == 'push'
+        run: terraform apply -auto-approve