diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
new file mode 100644
index 0000000..cd96392
--- /dev/null
+++ b/.github/workflows/deploy.yml
@@ -0,0 +1,60 @@
+name: Deploy to Production
+
+on:
+  push:
+    branches:
+      - master
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  id-token: write # required for AWS OIDC
+
+jobs:
+  apply:
+    environment: Production
+    timeout-minutes: 60
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Git Repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Setup OpenTofu
+        uses: opentofu/setup-opentofu@v1
+        with:
+          tofu_version: 1.8.6
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: us-east-1
+          role-to-assume: ${{ secrets.BACKEND_ROLE }}
+
+      - name: OpenTofu init
+        run: |
+          tofu init \
+              -backend-config="bucket=${{ secrets.BACKEND_BUCKET }}" \
+              -backend-config="dynamodb_table=${{ secrets.BACKEND_DDB_TABLE }}"
+
+      - name: OpenTofu validate
+        run: tofu validate
+
+      - name: OpenTofu plan
+        env:
+          OS_APPLICATION_CREDENTIAL_ID: ${{ secrets.OS_APPLICATION_CREDENTIAL_ID }}
+          OS_APPLICATION_CREDENTIAL_SECRET: ${{ secrets.OS_APPLICATION_CREDENTIAL_SECRET }}
+          # Legacy, pending new provider version
+          TF_VAR_application_credential_id: ${{ secrets.OS_APPLICATION_CREDENTIAL_ID }}
+          TF_VAR_application_credential_secret: ${{ secrets.OS_APPLICATION_CREDENTIAL_SECRET }}
+        run: tofu plan -out tfplan
+      
+      - name: OpenTofu apply
+        env:
+          OS_APPLICATION_CREDENTIAL_ID: ${{ secrets.OS_APPLICATION_CREDENTIAL_ID }}
+          OS_APPLICATION_CREDENTIAL_SECRET: ${{ secrets.OS_APPLICATION_CREDENTIAL_SECRET }}
+          # Legacy, pending new provider version
+          TF_VAR_application_credential_id: ${{ secrets.OS_APPLICATION_CREDENTIAL_ID }}
+          TF_VAR_application_credential_secret: ${{ secrets.OS_APPLICATION_CREDENTIAL_SECRET }}
+        run: tofu apply tfplan
\ No newline at end of file
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
new file mode 100644
index 0000000..85d1d0e
--- /dev/null
+++ b/.github/workflows/pr.yml
@@ -0,0 +1,76 @@
+name: Run plan for PR
+
+on:
+  pull_request:
+    branches:
+      - master
+
+permissions:
+  contents: read
+  id-token: write # required for AWS OIDC
+  pull-requests: write # required for writing the PR comment
+
+jobs:
+  plan:
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    steps:
+      - name: Checkout Git Repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Setup OpenTofu
+        uses: opentofu/setup-opentofu@v1
+        with:
+          tofu_version: 1.8.6
+
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: us-east-1
+          role-to-assume: ${{ secrets.BACKEND_ROLE }}
+
+      - name: OpenTofu init
+        run: |
+          tofu init \
+              -backend-config="bucket=${{ secrets.BACKEND_BUCKET }}" \
+              -backend-config="dynamodb_table=${{ secrets.BACKEND_DDB_TABLE }}"
+
+      - name: OpenTofu validate
+        run: tofu validate
+
+      - name: OpenTofu plan
+        env:
+          OS_APPLICATION_CREDENTIAL_ID: ${{ secrets.OS_APPLICATION_CREDENTIAL_ID }}
+          OS_APPLICATION_CREDENTIAL_SECRET: ${{ secrets.OS_APPLICATION_CREDENTIAL_SECRET }}
+          # Legacy, pending new provider version
+          TF_VAR_application_credential_id: ${{ secrets.OS_APPLICATION_CREDENTIAL_ID }}
+          TF_VAR_application_credential_secret: ${{ secrets.OS_APPLICATION_CREDENTIAL_SECRET }}
+        run: tofu plan -out tfplan
+
+      - name: Get plan output for PR comment
+        id: plan
+        run: tofu show -no-color tfplan
+
+      - name: Update Pull Request
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const output = `<details><summary>Show OpenTofu Plan</summary>
+      
+            \`\`\`\n
+            ${{ steps.plan.outputs.stdout }}
+            \`\`\`
+      
+            </details>
+      
+            *Pushed by: @${{ github.actor }}, Action: \`${{ github.event_name }}\`*`;
+      
+            github.rest.issues.createComment({
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              body: output
+            })
\ No newline at end of file
diff --git a/app.tf b/app.tf
index ce1bd5f..ec8772d 100644
--- a/app.tf
+++ b/app.tf
@@ -4,8 +4,7 @@ locals {
 }
 
 module "bluegreen" {
-  source  = "app.terraform.io/enwikipedia-acc/bluegreen/openstack"
-  version = "0.2.0"
+  source  = "github.com/enwikipedia-acc/terraform-openstack-bluegreen?ref=0.2.0"
 
   blue_dns_name       = "${local.blue_resource_prefix}.${data.openstack_dns_zone_v2.rootzone.name}"
   green_dns_name      = "${local.green_resource_prefix}.${data.openstack_dns_zone_v2.rootzone.name}"
@@ -15,7 +14,7 @@ module "bluegreen" {
 
 module "application-blue" {
   source = "github.com/enwikipedia-acc/terraform-openstack-waca-application"
-  # version = "0.0.0"
+
   count = module.bluegreen.blue_count
 
   dns_name        = module.bluegreen.blue_dns_name
@@ -34,7 +33,7 @@ module "application-blue" {
 
 module "application-green" {
   source = "github.com/enwikipedia-acc/terraform-openstack-waca-application"
-  # version = "0.0.0"
+
   count = module.bluegreen.green_count
 
   dns_name        = module.bluegreen.green_dns_name