diff --git a/.github/workflows/apply.yaml b/.github/workflows/apply.yaml
new file mode 100644
index 0000000..c784e44
--- /dev/null
+++ b/.github/workflows/apply.yaml
@@ -0,0 +1,29 @@
+name: Apply Terraform plan
+
+on:
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  apply:
+    runs-on: ubuntu-latest
+    name: Apply Terraform plan
+    env:
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      TF_VAR_hcloud_token: ${{ secrets.TF_HCLOUD_TOKEN }}
+      AWS_ACCESS_KEY_ID: ${{ secrets.TF_STATE_ACCESS_KEY }}
+      AWS_SECRET_ACCESS_KEY: ${{ secrets.TF_STATE_SECRET_KEY }}
+      AWS_CA_BUNDLE: ""
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Terraform apply
+        uses: dflook/terraform-apply@v2
+        with:
+          path: terraform
\ No newline at end of file
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
new file mode 100644
index 0000000..8ff4bf6
--- /dev/null
+++ b/.github/workflows/lint.yaml
@@ -0,0 +1,31 @@
+name: Lint Terraform plan
+
+on:
+  push:
+    branches-ignore:
+      - main
+
+jobs:
+  validate:
+    runs-on: ubuntu-latest
+    name: Validate Terraform
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Terraform validate
+        uses: dflook/terraform-validate@v2
+        with:
+          path: terraform
+
+  fmt-check:
+    runs-on: ubuntu-latest
+    name: Terraform formatting
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Terraform fmt
+        uses: dflook/terraform-fmt-check@v2
+        with:
+          path: terraform
\ No newline at end of file
diff --git a/.github/workflows/plan.yaml b/.github/workflows/plan.yaml
new file mode 100644
index 0000000..3fffb52
--- /dev/null
+++ b/.github/workflows/plan.yaml
@@ -0,0 +1,26 @@
+name: Create Terraform plan
+
+on: [pull_request]
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  plan:
+    runs-on: ubuntu-latest
+    name: Create a Terraform plan
+    env:
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      TF_VAR_hcloud_token: ${{ secrets.TF_HCLOUD_TOKEN }}
+      AWS_ACCESS_KEY_ID: ${{ secrets.TF_STATE_ACCESS_KEY }}
+      AWS_SECRET_ACCESS_KEY: ${{ secrets.TF_STATE_SECRET_KEY }}
+      AWS_CA_BUNDLE: ""
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Terraform plan
+        uses: dflook/terraform-plan@v2
+        with:
+          path: terraform
\ No newline at end of file
diff --git a/README.md b/README.md
index 413558f..9d0f9d8 100644
--- a/README.md
+++ b/README.md
@@ -2,15 +2,18 @@
 
 # Cloudijs Platform
 
-Hosting platform based on Kubernetes. This repository contain the IAC used to setup this platform on [Hetzner](https://www.hetzner.com). The platform relies heavily on the amazing [terraform-hcloud-kubernetes](https://github.com/hcloud-k8s/terraform-hcloud-kubernetes) Terraform module.
+Hosting platform based on Kubernetes. This repository contain the Terraform used to setup this platform on [Hetzner](https://www.hetzner.com). The platform relies heavily on the amazing [terraform-hcloud-kubernetes](https://github.com/hcloud-k8s/terraform-hcloud-kubernetes) Terraform module.
 
 ## Deployment
 
-To deploy the platform you will need a Hetzer account and create a [token](https://docs.hetzner.com/cloud/api/getting-started/generating-api-token/). Then run Terraform or Tofu after setting the token variable:
+To deploy the platform you will need a Hetzner account and create a [token](https://docs.hetzner.com/cloud/api/getting-started/generating-api-token/). In this example a Hetzner object storage is used for storing the Terraform state. Then run Terraform or Tofu after setting the required variables:
 ```bash
-export TF_VAR_hcloud_token="<your-token>"
-tofu plan
-tofy apply
+export TF_VAR_HCLOUD_TOKEN="<your-token>"
+export TF_VAR_STATE_BUCKET_NAME="<your-object-storage-bucket-name>"
+export TF_VAR_STATE_BUCKET_ACCESS_KEY="<your-s3-credentials-access-key>"
+export TF_VAR_STATE_BUCKET_SECRET_KEY="<your-s3-credentials-secret-key>"
+terraform plan
+terraform apply
 ```
 
 ## Sources
@@ -20,6 +23,7 @@ tofy apply
 * https://registry.terraform.io/providers/hetznercloud/hcloud/latest
 * https://docs.hetzner.cloud/changelog#2025-04-23-talos-linux-v195-iso-now-available
 * https://github.com/hetznercloud/hcloud-cloud-controller-manager/tree/main
+* https://github.com/dflook/terraform-github-actions
 
 ## License
 
diff --git a/terraform/backend.tf b/terraform/backend.tf
new file mode 100644
index 0000000..f49c4bf
--- /dev/null
+++ b/terraform/backend.tf
@@ -0,0 +1,13 @@
+terraform {
+  backend "s3" {
+    bucket                      = "platform-state"
+    key                         = "platform/terraform.tfstate"
+    region                      = "us-east-1"                                    # required but not used by Hetzner
+    endpoints                   = { s3 = "https://fsn1.your-objectstorage.com" } # Falkenstein region
+    use_path_style              = true
+    skip_credentials_validation = true
+    skip_region_validation      = true
+    skip_requesting_account_id  = true
+    skip_metadata_api_check     = true
+  }
+}
\ No newline at end of file
diff --git a/terraform/main.tf b/terraform/main.tf
index e62ea46..a6124cd 100644
--- a/terraform/main.tf
+++ b/terraform/main.tf
@@ -21,4 +21,4 @@ module "kubernetes" {
   worker_nodepools = [
     { name = "worker", type = "cpx11", location = "fsn1", count = 2 }
   ]
-}
+}
\ No newline at end of file
diff --git a/terraform/variables.tf b/terraform/variables.tf
index 15e218d..7ac31a3 100644
--- a/terraform/variables.tf
+++ b/terraform/variables.tf
@@ -1,3 +1,4 @@
+# Hetzner secrets
 variable "hcloud_token" {
-    sensitive = true
+  sensitive = true
 }
\ No newline at end of file