diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 5928e07..0923c38 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -4,6 +4,10 @@ on:
     branches:
       - main
 
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
   release:
     name: build and publish
@@ -39,10 +43,10 @@ jobs:
           CI: true
 
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v1
+        uses: aws-actions/configure-aws-credentials@v3
         with:
-          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+          audience: sts.amazonaws.com
+          role-to-assume: arn:aws:iam:::role/net.khaledez.www-github-actions
           aws-region: eu-west-2 # London
       
       - name: Setup configuration
diff --git a/terraform/infrastructure/.terraform.lock.hcl b/terraform/infrastructure/.terraform.lock.hcl
index 484e645..3f7329f 100644
--- a/terraform/infrastructure/.terraform.lock.hcl
+++ b/terraform/infrastructure/.terraform.lock.hcl
@@ -2,21 +2,24 @@
 # Manual edits may be lost in future updates.
 
 provider "registry.terraform.io/hashicorp/aws" {
-  version     = "4.6.0"
-  constraints = "~> 4.6.0"
+  version     = "5.15.0"
+  constraints = "~> 5.0, ~> 5.15.0"
   hashes = [
-    "h1:mO4WiTtBisbUQqiR4V6c4h5moZdki1vyySOMVsRFrWY=",
-    "zh:43d00e886384dc48ca3e2949327af0dba3eb3052104367456b47882a8456ba91",
-    "zh:7d586c26021fd3ea9d377f8024a5bb3f8d877a84792d39f2e2e96a3ec0848480",
-    "zh:84a01d4060916daf2973eaaabab0cadbb97fa850b74458b0bce98565268e37c1",
-    "zh:8a65dbf2ec7c433bf1c751a4f0ec332fd1bddd14e8aab64de4ee01890223f3a0",
-    "zh:92582a5d81f2cfecb2832895091f58eec5a978cdf4982ef8d7b9d88e74b265fe",
-    "zh:98c61fc2bf6a3af8b6ac8233860fefe8620e382a5fd25040f58297485ea0422a",
+    "h1:CFUr3EXmKTr3G4Nl+Yxf24NnhKQQDCyeBG+SS4YFblE=",
+    "zh:069d0037cd1f8791a27ec31a535ce47d02d4f220fe88f9c3caa8661c0a98892a",
+    "zh:08c18e8f5f69736e86919e6c2a68c94f39f879511d51b2a8e58ad1776ee18854",
+    "zh:41c9c95e225f72421fa4a1c3e5105f36b3b149cba1daf9bc88b0a993c1d19e07",
+    "zh:51e6cf850de8a8ae0e3b4e55b45ca2e6632a149c5851158f3c2711af51adb277",
+    "zh:5703eacc47d5a8169d1028f8cfcdf32cd12972ebea8780e870f520020280258a",
+    "zh:6a77e0406126208ae217c416e4b59940cd989df4d7d5ac23dfe8043725ff8f6a",
+    "zh:702cc6db865aeee571a639a81be3ed36326dcbda5c0a2ca91c9280772fce3e49",
+    "zh:8279822c5a267869d4459e429ad7b3b8ffaa36de2f6ca29cf7779214783ddf3a",
     "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
-    "zh:a32ae8bb7397b4fd4eb4f5b21a119460bc74ec4be2baf8e0cc543c6945a74415",
-    "zh:ae38e3d167cf69c5b8734eb581044c8621d70ed0df8b0433d5dadb6b81741483",
-    "zh:d4686842c9cb4a73167c73b4aa6145729237c14cb520c3eb89b22c0317923525",
-    "zh:dad0005f2f451512098fd1bdb838934a05267f6f170c1b652e7f12f02b595476",
-    "zh:f64b0387a75838776f6edbc00ad01cda323c200bd6eaafa15acc92b9cdbd9e3a",
+    "zh:bcb74854b0742a03b46e526bc2a79f556988c7622d54ebb2ccefc72c9759e9bc",
+    "zh:c7b0f4e94a9351a004a5555e91c8fe5b7da8cd2e03411cbd59d135ea8fceedd8",
+    "zh:cec427b1ef0e0948fd16736c72de57438fafcd8eeb5aab3bb1131579d2d6d031",
+    "zh:d5e4819851e52c15283064f6fa8cb8179a69cc981bee39e9b5ce5f027da8e251",
+    "zh:dade91d49309813b7453b053429678c8e7185e5ac54b2f68edb2ffea20242149",
+    "zh:e05e1395a738317a6761b592a5643ea5e660abd32de36ece68809cfd04a6a8e3",
   ]
 }
diff --git a/terraform/infrastructure/config.tf b/terraform/infrastructure/config.tf
index 7ade822..5f995c0 100644
--- a/terraform/infrastructure/config.tf
+++ b/terraform/infrastructure/config.tf
@@ -2,10 +2,10 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 4.6.0"
+      version = "~> 5.15.0"
     }
   }
-  required_version = ">= 1.1.0"
+  required_version = ">= 1.5.0"
 
   cloud {
     organization = "khaledez"
diff --git a/terraform/infrastructure/main.tf b/terraform/infrastructure/main.tf
index a478f33..dd7ff4e 100644
--- a/terraform/infrastructure/main.tf
+++ b/terraform/infrastructure/main.tf
@@ -11,4 +11,5 @@ module "acm" {
   domains         = var.domains
   domain_aliases  = var.domain_aliases
   route53_zone_id = data.aws_route53_zone.primary.id
+  version         = "2.0.0"
 }
diff --git a/terraform/infrastructure/roles.tf b/terraform/infrastructure/roles.tf
new file mode 100644
index 0000000..1283862
--- /dev/null
+++ b/terraform/infrastructure/roles.tf
@@ -0,0 +1,65 @@
+locals {
+  github_actions_issuer_domain = "token.actions.githubusercontent.com"
+}
+
+resource "aws_iam_openid_connect_provider" "github" {
+  url             = "https://${local.github_actions_issuer_domain}"
+  thumbprint_list = ["1c58a3a8518e8759bf075b76b750d4f2df264fcd"]
+  client_id_list  = ["sts.amazonaws.com"]
+  tags            = local.common_tags
+}
+
+data "aws_iam_policy_document" "github_provider_assume_actions" {
+  statement {
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+    principals {
+      type        = "Federated"
+      identifiers = [aws_iam_openid_connect_provider.github.arn]
+    }
+    condition {
+      test     = "StringEquals"
+      variable = "${local.github_actions_issuer_domain}:aud"
+      values   = ["sts.amazonaws.com"]
+    }
+    condition {
+      test     = "StringLike"
+      variable = "${local.github_actions_issuer_domain}:sub"
+      values   = ["repo:khaledez/khaledez.net:*"]
+    }
+  }
+}
+
+resource "aws_iam_role" "github-actions" {
+  name = "${var.app_name}-github-actions"
+  tags = local.common_tags
+
+  assume_role_policy = data.aws_iam_policy_document.github_provider_assume_actions.json
+
+  managed_policy_arns = [
+    "arn:aws:iam::aws:policy/CloudFrontFullAccess",
+    "arn:aws:iam::aws:policy/AmazonS3FullAccess",
+  ]
+
+  inline_policy {
+    name = "manage-domain"
+    policy = jsonencode({
+      version = "2012-10-17"
+      effect  = "Allow"
+      statement = {
+        action = [
+          "route53:GetHostedZone",
+          "route53:ListHostedZones",
+          "route53:ChangeResourceRecordSets",
+          "route53:ListResourceRecordSets",
+          "route53:GetHostedZoneCount",
+          "route53:ListHostedZonesByName"
+        ]
+      }
+      resource = [data.aws_route53_zone.primary.arn]
+    })
+  }
+
+  lifecycle {
+    create_before_destroy = true
+  }
+}
diff --git a/terraform/infrastructure/s3-backend.tf b/terraform/infrastructure/s3-backend.tf
index bf02bf1..1efb903 100644
--- a/terraform/infrastructure/s3-backend.tf
+++ b/terraform/infrastructure/s3-backend.tf
@@ -1,5 +1,3 @@
-data "aws_caller_identity" "current" {}
-
 data "aws_iam_policy_document" "backend" {
   statement {
     effect = "Allow"
@@ -16,8 +14,7 @@ data "aws_iam_policy_document" "backend" {
     principals {
       type = "AWS"
       identifiers = [
-        "arn:aws:iam::427368570714:user/github",
-        data.aws_caller_identity.current.arn
+        "arn:aws:iam::427368570714:root"
       ]
     }
   }
@@ -26,11 +23,9 @@ data "aws_iam_policy_document" "backend" {
 resource "aws_s3_bucket" "backend" {
   bucket = var.bucket_name
 
-  tags = {
+  tags = merge(local.common_tags, {
     Description = "Backend for terraform state"
-    Environment = "PROD"
-    App         = "net.khaledez.terraform"
-  }
+  })
 }
 
 resource "aws_s3_bucket_policy" "backend" {
diff --git a/terraform/infrastructure/variables.tf b/terraform/infrastructure/variables.tf
index 98b01a8..0b011d1 100644
--- a/terraform/infrastructure/variables.tf
+++ b/terraform/infrastructure/variables.tf
@@ -1,14 +1,14 @@
 variable "domains" {
   description = "Domains to apply settings for"
-  default     = ["khaledez.net", "*.dev.khaledez.net"]
+  default     = ["khaledez.net", "*.preview.khaledez.net"]
 }
 
 variable "domain_aliases" {
   description = "Aliases for domains to be added to the certificate as SAN"
   type        = map(set(string))
   default = {
-    "khaledez.net"       = ["www.khaledez.net"],
-    "*.dev.khaledez.net" = []
+    "khaledez.net"           = ["www.khaledez.net"],
+    "*.preview.khaledez.net" = []
   }
 }