diff --git a/.github/workflows/apply.yml b/.github/workflows/apply.yml
new file mode 100644
index 0000000..db471f5
--- /dev/null
+++ b/.github/workflows/apply.yml
@@ -0,0 +1,28 @@
+---
+name: apply
+
+on:
+  push:
+    branches:
+      - main
+
+env:
+  AWS_ACCESS_KEY_ID: "${{ secrets.AWS_ACCESS_KEY_ID }}"
+  AWS_SECRET_ACCESS_KEY: "${{ secrets.AWS_SECRET_ACCESS_KEY }}"
+  AWS_DEFAULT_REGION: us-east-1
+
+
+jobs:
+  apply:
+    name: apply
+    runs-on: ubuntu-latest
+    env:
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    steps:
+      - name: checkout
+        uses: actions/checkout@v2
+
+      - name: terraform apply
+        uses: dflook/terraform-apply@v1
+        with:
+          path: .
diff --git a/.github/workflows/commit.yml b/.github/workflows/commit.yml
index fe0e70f..6a0c8bb 100644
--- a/.github/workflows/commit.yml
+++ b/.github/workflows/commit.yml
@@ -1,79 +1,23 @@
-name: Terraform
+---
+name: test
 
 on:
   push:
-    branches:
-      - main
-  pull_request:
-
-env:
-  AWS_ACCESS_KEY_ID: "${{ secrets.AWS_ACCESS_KEY_ID }}"
-  AWS_SECRET_ACCESS_KEY: "${{ secrets.AWS_SECRET_ACCESS_KEY }}"
-  AWS_DEFAULT_REGION: us-east-1
-
 
 jobs:
-  terraform:
-    name: terraform
+  test:
+    name: test
     runs-on: ubuntu-latest
     steps:
       - name: checkout
         uses: actions/checkout@v2
 
-      - name: setup terraform
-        uses: hashicorp/setup-terraform@v1
+      - name: terraform fmt
+        uses: dflook/terraform-fmt-check@v1
         with:
-          terraform_version: ~0.12.0
-
-      - name: init
-        run: terraform init
+          path: .
 
-      - name: fmt
-        run: terraform fmt -check
-
-      - name: plan
-        id: plan
-        run: |
-          set -o pipefail
-          tfplan_file=$(mktemp)
-          echo "::set-output name=tfplan::$tfplan_file"
-          terraform plan -out=$tfplan_file -no-color
-        continue-on-error: true  # Make sure to post the error to the PR
-
-      - name: publish plan to PR
-        if: github.event_name == 'pull_request'
-        uses: actions/github-script@v3
-        env:
-          PLAN: "${{ steps.plan.outputs.stdout }}"
+      - name: terraform validate
+        uses: dflook/terraform-validate@v1
         with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          script: |
-            const output = `#### Terraform Plan 📖\`${{ steps.plan.outcome }}\`
-            <details><summary>Show Plan</summary>
-
-            \`\`\`terraform
-            ${process.env.PLAN}
-            \`\`\`
-
-            </details>
-
-            *Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`*`;
-
-            github.issues.createComment({
-              issue_number: context.issue.number,
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              body: output
-            });
-
-      - name: check plan status
-        if: steps.plan.outcome != 'success'
-        run: |
-          echo "Check plan output."
-          exit 1
-
-        # On push to main, build or change infrastructure according to
-        # Terraform configuration files
-      - name: apply
-        if: github.ref == 'refs/heads/main' && github.event_name == 'push'
-        run: terraform apply ${{ steps.plan.outputs.tfplan }}
+          path: .
diff --git a/.github/workflows/drift.yml b/.github/workflows/drift.yml
new file mode 100644
index 0000000..3a747ea
--- /dev/null
+++ b/.github/workflows/drift.yml
@@ -0,0 +1,21 @@
+---
+name: check
+
+on:
+  schedule:
+    - cron:  "0 8 * * *"
+
+jobs:
+  check_drift:
+    runs-on: ubuntu-latest
+    name: Check for drift
+    steps:
+      - name: checkout
+        uses: actions/checkout@v2
+
+      - name: check
+        uses: dflook/terraform-check@v1
+        with:
+          path: .
+
+      # TODO open an issue on failure
diff --git a/.github/workflows/plan.yml b/.github/workflows/plan.yml
new file mode 100644
index 0000000..0347f04
--- /dev/null
+++ b/.github/workflows/plan.yml
@@ -0,0 +1,26 @@
+---
+name: plan
+
+on:
+  pull_request:
+
+env:
+  AWS_ACCESS_KEY_ID: "${{ secrets.AWS_ACCESS_KEY_ID }}"
+  AWS_SECRET_ACCESS_KEY: "${{ secrets.AWS_SECRET_ACCESS_KEY }}"
+  AWS_DEFAULT_REGION: us-east-1
+
+
+jobs:
+  plan:
+    name: plan
+    runs-on: ubuntu-latest
+    env:
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    steps:
+      - name: checkout
+        uses: actions/checkout@v2
+
+      - name: terraform plan
+        uses: dflook/terraform-plan@v1
+        with:
+          path: .
diff --git a/main.tf b/main.tf
index 9520a5d..20b5951 100644
--- a/main.tf
+++ b/main.tf
@@ -1,5 +1,6 @@
 provider "aws" {
-  region = "us-east-1"
+  region  = "us-east-1"
+  version = "~> 2.70.0"
 }
 
 terraform {
@@ -10,6 +11,8 @@ terraform {
     encrypt        = true
     dynamodb_table = "datagov-lock-table"
   }
+
+  required_version = "~> 0.12.0"
 }
 
 # https://github.com/18F/aws-admin/blob/035c2dc740fe80cf0e6d5a9cb800cf39bd18d34b/terraform/iam/base.tf#L121-L131
diff --git a/user/main.tf b/user/main.tf
index 75a8fbf..d1fb605 100644
--- a/user/main.tf
+++ b/user/main.tf
@@ -1,5 +1,5 @@
 resource "aws_iam_user" "default" {
-  name          = var.name
+  name = var.name
 
   # Ensure we can delete the user if non-terraform MFA or login profiles are
   # created.
@@ -7,6 +7,6 @@ resource "aws_iam_user" "default" {
 }
 
 resource "aws_iam_user_group_membership" "default" {
-  user = aws_iam_user.default.name
+  user   = aws_iam_user.default.name
   groups = var.groups
 }
diff --git a/user/variables.tf b/user/variables.tf
index 175c4ef..c9d0f35 100644
--- a/user/variables.tf
+++ b/user/variables.tf
@@ -3,6 +3,6 @@ variable "name" {
 }
 
 variable "groups" {
-  default = []
+  default     = []
   description = "List of IAM groups to assign the user to."
 }