diff --git a/.gitea/workflows/validate.yml b/.gitea/workflows/validate.yml
index a4513ed..46c6570 100644
--- a/.gitea/workflows/validate.yml
+++ b/.gitea/workflows/validate.yml
@@ -39,17 +39,18 @@ jobs:
 
       - name: Terraform Validate
         id: validate
-        run: terraform validate
+        run: terraform validate -var="vault_token=${{ secrets.VAULT_TOKEN }}"
 
       - name: Terraform Plan
         id: plan
-        run: terraform plan -var="cloudflare_api_token=${{ secrets.CLOUDFLARE_API_TOKEN }}" -var="vault_token=${{ secrets.VAULT_TOKEN }}"
+        run: terraform plan -var="vault_token=${{ secrets.VAULT_TOKEN }}"
         env:
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
           AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
         
       - name: Terraform Apply
-        run: terraform apply -var="cloudflare_api_token=${{ secrets.CLOUDFLARE_API_TOKEN }}" -var="vault_token=${{ secrets.VAULT_TOKEN }}" --auto-approve --input=false
+        if: github.ref == 'refs/heads/main' && github.event_name == 'push'
+        run: terraform apply -var="vault_token=${{ secrets.VAULT_TOKEN }}" --auto-approve --input=false
         env:
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
           AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}